https://community.cisco.com/t5/network-security/cisco-asa-dmz-hosts-not-able-to-connect-to-internet/m-p/2729655#M192319 <P>Hello, try to change the following:</P><P><SPAN style="font-family:courier new,courier,monospace;">no service-policy global_policy <U><STRONG>interface outside</STRONG></U></SPAN></P><P><SPAN style="font-family:courier new,courier,monospace;">service-policy global_policy <U><STRONG>global</STRONG></U></SPAN></P> Fri, 28 Aug 2015 07:21:25 GMT Boris Uskov 2015-08-28T07:21:25Z https://community.cisco.com/t5/network-security/cisco-asa-dmz-hosts-not-able-to-connect-to-internet/m-p/2729653#M192317 <P>Hi everyone,<BR />I have a problem I haven´t been able to solve:</P><P>&nbsp;</P><P>We run an ASA with a DMZ, inside and outside interface (very common scenario) with security levels set by default. I can access from the outside to the webserver running on the DMZ with no problems, but when I try to connect to the Internet from the webserver on the DMZ doesn´t work.<BR /><BR />Here´s the diagram:<BR /><BR />&nbsp; &nbsp;INTERNET<BR />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;|<BR />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;|<BR />&nbsp;&nbsp; &nbsp; (ASA) -------DMZ 172.16.0.0/24--------- WEBSERVER (172.16.0.63)<BR />&nbsp;&nbsp;&nbsp; &nbsp; &nbsp; &nbsp;|<BR />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;| &nbsp; &nbsp;&nbsp;<BR />&nbsp; &nbsp;INSIDE<BR />&nbsp;&nbsp;&nbsp;<BR />I own another Cisco router connected directly to the Internet with its own public IP address running on a different site, and when I ping this router from the Webserver it works, but the source IP address is the one from the DMZ (172.16.0.63) instead of the translated IP.<BR /><BR />&nbsp;Here`s the config from the ASA:<BR />&nbsp;</P><P class="p1">&nbsp;</P><P class="p1"><SPAN class="s1">interface GigabitEthernet0/0</SPAN></P><P class="p1"><SPAN class="s1">&nbsp;description ****INTERNET****</SPAN></P><P class="p1"><SPAN class="s1">&nbsp;nameif outside</SPAN></P><P class="p1"><SPAN class="s1">&nbsp;security-level 0</SPAN></P><P class="p1"><SPAN class="s1">&nbsp;ip address 200.xxx.xxx.218 255.255.255.248&nbsp;</SPAN></P><P class="p1"><SPAN class="s1">!</SPAN></P><P class="p1"><SPAN class="s1">interface GigabitEthernet0/1</SPAN></P><P class="p1"><SPAN class="s1">&nbsp;channel-group 1 mode active</SPAN></P><P class="p1"><SPAN class="s1">&nbsp;no nameif</SPAN></P><P class="p1"><SPAN class="s1">&nbsp;no security-level</SPAN></P><P class="p1"><SPAN class="s1">&nbsp;no ip address</SPAN></P><P class="p1"><SPAN class="s1">!</SPAN></P><P class="p1"><SPAN class="s1">interface GigabitEthernet0/2</SPAN></P><P class="p1"><SPAN class="s1">&nbsp;channel-group 1 mode active</SPAN></P><P class="p1"><SPAN class="s1">&nbsp;no nameif</SPAN></P><P class="p1"><SPAN class="s1">&nbsp;no security-level</SPAN></P><P class="p1"><SPAN class="s1">&nbsp;no ip address</SPAN></P><P class="p1"><SPAN class="s1">!</SPAN></P><P class="p1"><SPAN class="s1">interface GigabitEthernet0/3</SPAN></P><P class="p1"><SPAN class="s1">&nbsp;nameif DMZ</SPAN></P><P class="p1"><SPAN class="s1">&nbsp;security-level 50</SPAN></P><P class="p1"><SPAN class="s1">&nbsp;ip address 172.16.0.1 255.255.255.0&nbsp;</SPAN></P><P class="p1"><SPAN class="s1">!</SPAN></P><P class="p1"><SPAN class="s1">interface GigabitEthernet0/4</SPAN></P><P class="p1"><SPAN class="s1">&nbsp;no nameif</SPAN></P><P class="p1"><SPAN class="s1">&nbsp;no security-level</SPAN></P><P class="p1"><SPAN class="s1">&nbsp;no ip address</SPAN></P><P class="p1"><SPAN class="s1">!</SPAN></P><P class="p1"><SPAN class="s1">interface GigabitEthernet0/5</SPAN></P><P class="p1"><SPAN class="s1">&nbsp;shutdown</SPAN></P><P class="p1"><SPAN class="s1">&nbsp;no nameif</SPAN></P><P class="p1"><SPAN class="s1">&nbsp;no security-level</SPAN></P><P class="p1"><SPAN class="s1">&nbsp;no ip address</SPAN></P><P class="p1"><SPAN class="s1">!</SPAN></P><P class="p1"><SPAN class="s1">interface GigabitEthernet0/6</SPAN></P><P class="p1"><SPAN class="s1">&nbsp;shutdown</SPAN></P><P class="p1"><SPAN class="s1">&nbsp;no nameif</SPAN></P><P class="p1"><SPAN class="s1">&nbsp;no security-level</SPAN></P><P class="p1"><SPAN class="s1">&nbsp;no ip address</SPAN></P><P class="p1"><SPAN class="s1">!&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;</SPAN></P><P class="p1"><SPAN class="s1">interface GigabitEthernet0/7</SPAN></P><P class="p1"><SPAN class="s1">&nbsp;shutdown</SPAN></P><P class="p1"><SPAN class="s1">&nbsp;no nameif</SPAN></P><P class="p1"><SPAN class="s1">&nbsp;no security-level</SPAN></P><P class="p1"><SPAN class="s1">&nbsp;no ip address</SPAN></P><P class="p1"><SPAN class="s1">!</SPAN></P><P class="p1"><SPAN class="s1">interface Management0/0</SPAN></P><P class="p1"><SPAN class="s1">&nbsp;management-only</SPAN></P><P class="p1"><SPAN class="s1">&nbsp;nameif management</SPAN></P><P class="p1"><SPAN class="s1">&nbsp;security-level 100</SPAN></P><P class="p1"><SPAN class="s1">&nbsp;ip address 192.168.1.1 255.255.255.0&nbsp;</SPAN></P><P class="p1"><SPAN class="s1">!</SPAN></P><P class="p1"><SPAN class="s1">interface Port-channel1</SPAN></P><P class="p1"><SPAN class="s1">&nbsp;port-channel load-balance src-dst-ip-port</SPAN></P><P class="p1"><SPAN class="s1">&nbsp;nameif inside</SPAN></P><P class="p1"><SPAN class="s1">&nbsp;security-level 100</SPAN></P><P class="p1"><SPAN class="s1">&nbsp;ip address 10.199.0.129 255.255.255.248&nbsp;</SPAN></P><P class="p1"><SPAN class="s1">!</SPAN></P><P class="p1"><SPAN class="s1">boot system disk0:/asa916-4-smp-k8.bin</SPAN></P><P class="p1"><SPAN class="s1">ftp mode passive</SPAN></P><P class="p1"><SPAN class="s1">clock timezone ART -3</SPAN></P><P class="p1"><SPAN class="s1">dns domain-lookup management</SPAN></P><P class="p1"><SPAN class="s1">dns domain-lookup DMZ</SPAN></P><P class="p1"><SPAN class="s1">dns server-group DefaultDNS</SPAN></P><P class="p1"><SPAN class="s1">&nbsp;domain-name marinadelsol.local</SPAN></P><P class="p1"><SPAN class="s1">object network DMZ-SUBNET</SPAN></P><P class="p1"><SPAN class="s1">&nbsp;subnet 172.16.0.0 255.255.255.0</SPAN></P><P class="p1"><SPAN class="s1">object network WEBSERVER</SPAN></P><P class="p1"><SPAN class="s1">&nbsp;host 172.16.0.63</SPAN></P><P class="p1"><SPAN class="s1">object network IP_PUB_MAILSERVER</SPAN></P><P class="p1"><SPAN class="s1">&nbsp;host 200.xxx.xxx.221</SPAN></P><P class="p1"><SPAN class="s1">object service TCP-HTTP</SPAN></P><P class="p1"><SPAN class="s1">&nbsp;service tcp source eq www&nbsp;</SPAN></P><P class="p1"><SPAN class="s1">object service TCP-SMTP</SPAN></P><P class="p1"><SPAN class="s1">&nbsp;service tcp source eq smtp&nbsp;</SPAN></P><P class="p1"><SPAN class="s1">object service TCP-HTTPS</SPAN></P><P class="p1"><SPAN class="s1">&nbsp;service tcp source eq https&nbsp;</SPAN></P><P class="p1"><SPAN class="s1">object network IP_PUB_WEBSERVER</SPAN></P><P class="p1"><SPAN class="s1">&nbsp;host 200.111.169.219</SPAN></P><P class="p1"><SPAN class="s1">object service TCP_80</SPAN></P><P class="p1"><SPAN class="s1">&nbsp;service tcp source eq www&nbsp;</SPAN></P><P class="p1"><SPAN class="s1">object service TCP_443</SPAN></P><P class="p1"><SPAN class="s1">&nbsp;service tcp source eq https&nbsp;</SPAN></P><P class="p1"><SPAN class="s1">object service TCP_SSH</SPAN></P><P class="p1"><SPAN class="s1">&nbsp;service tcp source eq ssh&nbsp;</SPAN></P><P class="p1"><SPAN class="s1">object service TCP_DNS</SPAN></P><P class="p1"><SPAN class="s1">&nbsp;service tcp source eq domain&nbsp;</SPAN></P><P class="p1"><SPAN class="s1">object service UDP_DNS</SPAN></P><P class="p1"><SPAN class="s1">&nbsp;service udp source eq domain&nbsp;</SPAN></P><P class="p1"><SPAN class="s1">object service TCP_995</SPAN></P><P class="p1"><SPAN class="s1">&nbsp;service tcp source eq 995&nbsp;</SPAN></P><P class="p1"><SPAN class="s1">object service TCP_587</SPAN></P><P class="p1"><SPAN class="s1">&nbsp;service tcp source eq 587&nbsp;</SPAN></P><P class="p1">&nbsp;</P><P class="p1">&nbsp;</P><P class="p1"><SPAN class="s1">object service TCP_8080</SPAN></P><P class="p1"><SPAN class="s1">&nbsp;service tcp source eq 8080&nbsp;</SPAN></P><P class="p1"><SPAN class="s1">object-group protocol DM_INLINE_PROTOCOL_1</SPAN></P><P class="p1"><SPAN class="s1">&nbsp;protocol-object ip</SPAN></P><P class="p1"><SPAN class="s1">&nbsp;protocol-object icmp</SPAN></P><P class="p1"><SPAN class="s1">object-group service DM_INLINE_TCP_1 tcp</SPAN></P><P class="p1"><SPAN class="s1">&nbsp;port-object eq domain</SPAN></P><P class="p1"><SPAN class="s1">&nbsp;port-object eq www</SPAN></P><P class="p1"><SPAN class="s1">&nbsp;port-object eq https</SPAN></P><P class="p1"><SPAN class="s1">&nbsp;port-object eq smtp</SPAN></P><P class="p1"><SPAN class="s1">object-group protocol TCPUDP</SPAN></P><P class="p1"><SPAN class="s1">&nbsp;protocol-object udp</SPAN></P><P class="p1"><SPAN class="s1">&nbsp;protocol-object tcp</SPAN></P><P class="p1"><SPAN class="s1">object-group service DM_INLINE_TCP_2 tcp</SPAN></P><P class="p1"><SPAN class="s1">&nbsp;port-object eq www</SPAN></P><P class="p1"><SPAN class="s1">&nbsp;port-object eq ssh</SPAN></P><P class="p1"><SPAN class="s1">object-group service DM_INLINE_TCP_5 tcp</SPAN></P><P class="p1"><SPAN class="s1">&nbsp;port-object eq www</SPAN></P><P class="p1"><SPAN class="s1">&nbsp;port-object eq ssh</SPAN></P><P class="p1"><SPAN class="s1">&nbsp;port-object eq https</SPAN></P><P class="p1"><SPAN class="s1">object-group service DM_INLINE_TCP_6 tcp</SPAN></P><P class="p1"><SPAN class="s1">&nbsp;port-object eq www</SPAN></P><P class="p1"><SPAN class="s1">&nbsp;port-object eq https</SPAN></P><P class="p1"><SPAN class="s1">&nbsp;port-object eq 8080</SPAN></P><P class="p1"><SPAN class="s1">object-group service DM_INLINE_TCP_7 tcp</SPAN></P><P class="p1"><SPAN class="s1">&nbsp;port-object eq 3306</SPAN></P><P class="p1"><SPAN class="s1">&nbsp;port-object eq 81</SPAN></P><P class="p1"><SPAN class="s1">object-group service DM_INLINE_TCP_4 tcp</SPAN></P><P class="p1"><SPAN class="s1">&nbsp;port-object eq www</SPAN></P><P class="p1"><SPAN class="s1">&nbsp;port-object eq ssh</SPAN></P><P class="p1"><SPAN class="s1">object-group service DM_INLINE_SERVICE_1</SPAN></P><P class="p1"><SPAN class="s1">&nbsp;service-object ip&nbsp;</SPAN></P><P class="p1"><SPAN class="s1">&nbsp;service-object tcp destination eq ssh&nbsp;</SPAN></P><P class="p1"><SPAN class="s1">object-group service DM_INLINE_SERVICE_2</SPAN></P><P class="p1"><SPAN class="s1">&nbsp;service-object icmp&nbsp;</SPAN></P><P class="p1"><SPAN class="s1">&nbsp;service-object tcp destination eq domain&nbsp;</SPAN></P><P class="p1"><SPAN class="s1">&nbsp;service-object tcp destination eq www&nbsp;</SPAN></P><P class="p1"><SPAN class="s1">&nbsp;service-object tcp destination eq https&nbsp;</SPAN></P><P class="p1"><SPAN class="s1">&nbsp;service-object tcp destination eq smtp&nbsp;</SPAN></P><P class="p1"><SPAN class="s1">&nbsp;service-object tcp destination eq ssh&nbsp;</SPAN></P><P class="p1"><SPAN class="s1">access-list DMZ_access_in extended permit icmp any any&nbsp;</SPAN></P><P class="p1"><SPAN class="s1">access-list DMZ_access_in extended permit object-group DM_INLINE_SERVICE_2 host 172.16.0.63 any log&nbsp;</SPAN></P><P class="p1"><SPAN class="s1">access-list DMZ_access_in extended permit udp host 172.16.0.63 any eq domain log&nbsp;</SPAN></P><P class="p1"><SPAN class="s1">access-list DMZ_access_in extended permit icmp host 172.16.0.53 any log&nbsp;</SPAN></P><P class="p1"><SPAN class="s1">access-list DMZ_access_in extended permit icmp host 172.16.0.63 any log&nbsp;</SPAN></P><P class="p1"><SPAN class="s1">access-list DMZ_access_in extended permit tcp host 172.16.0.63 host 10.200.5.35 eq 1433&nbsp;</SPAN></P><P class="p1"><SPAN class="s1">access-list DMZ_access_in extended permit tcp host 172.16.0.63 host 10.200.5.42 eq ssh&nbsp;</SPAN></P><P class="p1"><SPAN class="s1">access-list DMZ_access_in extended permit tcp host 172.16.0.53 host 10.200.5.35 eq 1433&nbsp;</SPAN></P><P class="p1"><SPAN class="s1">access-list DMZ_access_in extended permit tcp host 172.16.0.63 host 10.200.5.34 object-group DM_INLINE_TCP_7&nbsp;</SPAN></P><P class="p1"><SPAN class="s1">access-list DMZ_access_in extended permit object-group DM_INLINE_SERVICE_1 host 172.16.0.63 10.200.7.0 255.255.255.0&nbsp;</SPAN></P><P class="p1"><SPAN class="s1">access-list DMZ_access_in extended permit tcp host 172.16.0.12 any eq smtp log&nbsp;</SPAN></P><P class="p1"><SPAN class="s1">access-list DMZ_access_in extended permit tcp host 172.16.0.63 eq www any&nbsp;</SPAN></P><P class="p1"><SPAN class="s1">access-list DMZ_access_in extended permit tcp host 172.16.0.63 eq https any&nbsp;</SPAN></P><P class="p1"><SPAN class="s1">access-list DMZ_access_in extended permit tcp host 172.16.0.63 any eq https&nbsp;</SPAN></P><P class="p1"><SPAN class="s1">access-list DMZ_access_in extended permit tcp host 172.16.0.63 any eq www&nbsp;</SPAN></P><P class="p1"><SPAN class="s1">access-list OUTSIDE-INBOUND extended permit tcp any interface outside eq www&nbsp;</SPAN></P><P class="p1"><SPAN class="s1">access-list OUTSIDE-INBOUND extended permit tcp any interface outside eq ssh&nbsp;</SPAN></P><P class="p1"><SPAN class="s1">access-list OUTSIDE-INBOUND extended permit udp any object WEBSERVER eq domain&nbsp;</SPAN></P><P class="p1"><SPAN class="s1">access-list OUTSIDE-INBOUND extended permit tcp any object WEBSERVER eq domain&nbsp;</SPAN></P><P class="p1"><SPAN class="s1">access-list OUTSIDE-INBOUND extended permit tcp any object WEBSERVER eq https&nbsp;</SPAN></P><P class="p1"><SPAN class="s1">access-list OUTSIDE-INBOUND extended permit tcp any object WEBSERVER eq ssh&nbsp;</SPAN></P><P class="p1"><SPAN class="s1">access-list OUTSIDE-INBOUND extended permit icmp any any&nbsp;</SPAN></P><P class="p1"><SPAN class="s1">access-list OUTSIDE-INBOUND extended permit tcp any object MDSS022 eq 995&nbsp;</SPAN></P><P class="p1"><SPAN class="s1">access-list OUTSIDE-INBOUND extended permit tcp any object MDSS022 eq 587&nbsp;</SPAN></P><P class="p1"><SPAN class="s1">access-list OUTSIDE-INBOUND extended permit tcp any object WEBSERVER eq www&nbsp;</SPAN></P><P class="p1"><SPAN class="s1">access-list OUTSIDE-INBOUND extended permit tcp any host 10.200.5.12 eq smtp log&nbsp;</SPAN></P><P class="p1"><SPAN class="s1">access-list OUTSIDE-INBOUND extended permit tcp any host 10.200.5.12 eq www&nbsp;</SPAN></P><P class="p1"><SPAN class="s1">access-list OUTSIDE-INBOUND extended permit tcp any host 10.200.5.12 eq https&nbsp;</SPAN></P><P class="p1"><SPAN class="s1">access-list OUTSIDE-INBOUND extended permit tcp any host 10.200.5.12 eq 995&nbsp;</SPAN></P><P class="p1"><SPAN class="s1">access-list OUTSIDE-INBOUND extended permit tcp any host 10.200.5.12 eq 587&nbsp;</SPAN></P><P class="p1"><SPAN class="s1">access-list OUTSIDE-INBOUND extended permit tcp any host 10.200.5.8 eq 8080&nbsp;</SPAN></P><P class="p1"><SPAN class="s1">access-list OUTSIDE-INBOUND extended permit tcp any object MDSS007 eq 8080&nbsp;</SPAN></P><P class="p1"><SPAN class="s1">access-list OUTSIDE-INBOUND extended permit tcp any object WEBSERVER&nbsp;</SPAN></P><P class="p1"><SPAN class="s1">pager lines 24</SPAN></P><P class="p1"><SPAN class="s1">logging enable</SPAN></P><P class="p1"><SPAN class="s1">logging console informational</SPAN></P><P class="p1"><SPAN class="s1">logging asdm informational</SPAN></P><P class="p1"><SPAN class="s1">mtu outside 1500</SPAN></P><P class="p1"><SPAN class="s1">mtu management 1500</SPAN></P><P class="p1"><SPAN class="s1">mtu inside 1500</SPAN></P><P class="p1"><SPAN class="s1">mtu DMZ 1500</SPAN></P><P class="p1"><SPAN class="s1">no failover</SPAN></P><P class="p1"><SPAN class="s1">icmp unreachable rate-limit 1 burst-size 1</SPAN></P><P class="p1"><SPAN class="s1">asdm image disk0:/asdm-742.bin</SPAN></P><P class="p1"><SPAN class="s1">no asdm history enable</SPAN></P><P class="p1"><SPAN class="s1">arp timeout 14400</SPAN></P><P class="p1"><SPAN class="s1">arp permit-nonconnected</SPAN></P><P class="p1"><SPAN class="s1">nat (any,any) source static WEBSERVER IP_PUB_WEBSERVER</SPAN></P><P class="p1"><SPAN class="s1">nat (DMZ,outside) source static WEBSERVER IP_PUB_WEBSERVER service TCP_80 TCP_80</SPAN></P><P class="p1"><SPAN class="s1">nat (DMZ,outside) source static WEBSERVER IP_PUB_WEBSERVER service TCP_443 TCP_443</SPAN></P><P class="p1"><SPAN class="s1">nat (DMZ,outside) source static WEBSERVER IP_PUB_WEBSERVER service TCP_SSH TCP_SSH</SPAN></P><P class="p1"><SPAN class="s1">nat (DMZ,outside) source static WEBSERVER IP_PUB_WEBSERVER service TCP_DNS TCP_DNS</SPAN></P><P class="p1"><SPAN class="s1">nat (DMZ,outside) source static WEBSERVER IP_PUB_WEBSERVER service UDP_DNS UDP_DNS</SPAN></P><P class="p1"><SPAN class="s1">nat (inside,outside) source static MDSS022 IP_PUB_MAILSERVER service TCP-HTTP TCP-HTTP</SPAN></P><P class="p1"><SPAN class="s1">nat (inside,outside) source static MDSS022 IP_PUB_MAILSERVER service TCP-HTTPS TCP-HTTPS</SPAN></P><P class="p1"><SPAN class="s1">nat (inside,outside) source static MDSS007 IP_PUB_MDSS007 service TCP_8080 TCP_8080</SPAN></P><P class="p1"><SPAN class="s1">!</SPAN></P><P class="p1"><SPAN class="s1">object network DMZ-SUBNET</SPAN></P><P class="p1"><SPAN class="s1">&nbsp;nat (DMZ,outside) dynamic interface</SPAN></P><P class="p1"><SPAN class="s1">object network ALL_VLANS</SPAN></P><P class="p1"><SPAN class="s1">&nbsp;nat (inside,outside) dynamic interface</SPAN></P><P class="p1"><SPAN class="s1">access-group OUTSIDE-INBOUND in interface outside</SPAN></P><P class="p1"><SPAN class="s1">access-group DMZ_access_in in interface DMZ</SPAN></P><P class="p1"><SPAN class="s1">!</SPAN></P><P class="p1"><SPAN class="s1">route outside 0.0.0.0 0.0.0.0 200.111.169.217 1&nbsp;</SPAN></P><P class="p1"><SPAN class="s1">timeout xlate 3:00:00</SPAN></P><P class="p1"><SPAN class="s1">timeout pat-xlate 0:00:30</SPAN></P><P class="p1"><SPAN class="s1">timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02</SPAN></P><P class="p1"><SPAN class="s1">timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00</SPAN></P><P class="p1"><SPAN class="s1">timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00</SPAN></P><P class="p1"><SPAN class="s1">timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute</SPAN></P><P class="p1"><SPAN class="s1">timeout tcp-proxy-reassembly 0:01:00</SPAN></P><P class="p1"><SPAN class="s1">timeout floating-conn 0:00:00</SPAN></P><P class="p1"><SPAN class="s1">dynamic-access-policy-record DfltAccessPolicy</SPAN></P><P class="p1"><SPAN class="s1">user-identity default-domain LOCAL</SPAN></P><P class="p1"><SPAN class="s1">aaa authentication ssh console LOCAL&nbsp;</SPAN></P><P class="p1"><SPAN class="s1">aaa authentication http console LOCAL&nbsp;</SPAN></P><P class="p1"><SPAN class="s1">aaa authorization exec LOCAL&nbsp;</SPAN></P><P class="p1"><SPAN class="s1">!</SPAN></P><P class="p1"><SPAN class="s1">class-map inspection_defaul</SPAN></P><P class="p1"><SPAN class="s1">class-map inspection_default</SPAN></P><P class="p1"><SPAN class="s1">&nbsp;match default-inspection-traffic</SPAN></P><P class="p1"><SPAN class="s1">!</SPAN></P><P class="p1"><SPAN class="s1">!</SPAN></P><P class="p1"><SPAN class="s1">policy-map type inspect dns preset_dns_map</SPAN></P><P class="p1"><SPAN class="s1">&nbsp;parameters</SPAN></P><P class="p1"><SPAN class="s1">&nbsp; message-length maximum client auto</SPAN></P><P class="p1"><SPAN class="s1">&nbsp; message-length maximum 512</SPAN></P><P class="p1"><SPAN class="s1">policy-map global_policy</SPAN></P><P class="p1"><SPAN class="s1">&nbsp;class inspection_default</SPAN></P><P class="p1"><SPAN class="s1">&nbsp; inspect dns preset_dns_map&nbsp;</SPAN></P><P class="p1"><SPAN class="s1">&nbsp; inspect ftp&nbsp;</SPAN></P><P class="p1"><SPAN class="s1">&nbsp; inspect h323 h225&nbsp;</SPAN></P><P class="p1"><SPAN class="s1">&nbsp; inspect h323 ras&nbsp;</SPAN></P><P class="p1"><SPAN class="s1">&nbsp; inspect rsh&nbsp;</SPAN></P><P class="p1"><SPAN class="s1">&nbsp; inspect rtsp&nbsp;</SPAN></P><P class="p1"><SPAN class="s1">&nbsp; inspect esmtp&nbsp;</SPAN></P><P class="p1"><SPAN class="s1">&nbsp; inspect sqlnet&nbsp;</SPAN></P><P class="p1"><SPAN class="s1">&nbsp; inspect skinny &nbsp;</SPAN></P><P class="p1"><SPAN class="s1">&nbsp; inspect sunrpc&nbsp;</SPAN></P><P class="p1"><SPAN class="s1">&nbsp; inspect xdmcp&nbsp;</SPAN></P><P class="p1"><SPAN class="s1">&nbsp; inspect sip &nbsp;</SPAN></P><P class="p1"><SPAN class="s1">&nbsp; inspect netbios&nbsp;</SPAN></P><P class="p1"><SPAN class="s1">&nbsp; inspect tftp&nbsp;</SPAN></P><P class="p1"><SPAN class="s1">&nbsp; inspect ip-options&nbsp;</SPAN></P><P class="p1"><SPAN class="s1">&nbsp; inspect icmp error&nbsp;</SPAN></P><P class="p1"><SPAN class="s1">&nbsp; inspect icmp&nbsp;</SPAN></P><P class="p1"><SPAN class="s1">!</SPAN></P><P class="p1"><SPAN class="s1">service-policy global_policy interface outside</SPAN></P><P class="p1"><SPAN class="s1">prompt hostname context&nbsp;</SPAN></P><P class="p1"><SPAN class="s1">no call-home reporting anonymous</SPAN></P><P class="p1"><SPAN class="s1">Cryptochecksum:6e91d23f5a57864e4be311cecb5f0620</SPAN></P><P class="p1"><SPAN class="s1">: end</SPAN></P><P class="p1"><SPAN class="s1">FWL#&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;</SPAN></P><P class="p1">&nbsp;</P><P class="p1">&nbsp;</P><P class="p1">&nbsp;</P><P class="p1">If I ping from the Webserver to my external router, this is the output from the <STRONG>debug ip icmp </STRONG>command</P><P>&nbsp;</P><P class="p1"><SPAN class="s1">Router_EXT#debug ip icmp&nbsp;</SPAN></P><P class="p1"><SPAN class="s1">ICMP packet debugging is on</SPAN></P><P class="p1"><SPAN class="s1">Router_EXT#</SPAN></P><P class="p1"><SPAN class="s1">*Aug 27 23:13:28.326: ICMP: echo reply sent, src 179.57.200.252, dst <STRONG>172.16.0.63</STRONG></SPAN></P><P class="p1"><SPAN class="s1">*Aug 27 23:13:29.326: ICMP: echo reply sent, src 179.57.200.252, dst <STRONG>172.16.0.63</STRONG></SPAN></P><P class="p1"><SPAN class="s1">*Aug 27 23:13:30.326: ICMP: echo reply sent, src 179.57.200.252, dst <STRONG>172.16.0.63</STRONG></SPAN></P><P class="p1"><SPAN class="s1">*Aug 27 23:13:31.326: ICMP: echo reply sent, src 179.57.200.252, dst <STRONG>172.16.0.63</STRONG></SPAN></P><P class="p1"><SPAN class="s1">*Aug 27 23:13:32.326: ICMP: echo reply sent, src 179.57.200.252, dst <STRONG>172.16.0.63</STRONG></SPAN></P><P class="p1"><SPAN class="s1">*Aug 27 23:13:33.326: ICMP: echo reply sent, src 179.57.200.252, dst <STRONG>172.16.0.63</STRONG></SPAN></P><P class="p1"><SPAN class="s1">*Aug 27 23:13:34.326: ICMP: echo reply sent, src 179.57.200.252, dst <STRONG>172.16.0.63</STRONG></SPAN></P><P class="p1">&nbsp;</P><P class="p1">The destination IP address for the ping packet is actually the local IP of the webserver inside the DMZ (172.16.0.63) and not the public IP address. That it means the packets are being sent from the ASA to the Internet but not translated.&nbsp;<BR /><BR />Here´s the output of the&nbsp;<STRONG>show nat</STRONG></P><P class="p1">&nbsp;</P><P class="p1"><SPAN class="s1">FWL#show nat</SPAN></P><P class="p1"><SPAN class="s1">Manual NAT Policies (Section 1)</SPAN></P><P class="p1"><SPAN class="s1">1 (any) to (any) source static WEBSERVER IP_PUB_WEBSERVER &nbsp;</SPAN></P><P class="p1"><SPAN class="s1">&nbsp; &nbsp; translate_hits = 2643, untranslate_hits = 3293</SPAN></P><P class="p1"><SPAN class="s1">2 (DMZ) to (outside) source static WEBSERVER IP_PUB_WEBSERVER &nbsp; service TCP_80 TCP_80</SPAN></P><P class="p1"><SPAN class="s1">&nbsp; &nbsp; translate_hits = 1969933, untranslate_hits = 2816124</SPAN></P><P class="p1"><SPAN class="s1">3 (DMZ) to (outside) source static WEBSERVER IP_PUB_WEBSERVER &nbsp; service TCP_443 TCP_443</SPAN></P><P class="p1"><SPAN class="s1">&nbsp; &nbsp; translate_hits = 2119, untranslate_hits = 2628</SPAN></P><P class="p1"><SPAN class="s1">4 (DMZ) to (outside) source static WEBSERVER IP_PUB_WEBSERVER &nbsp; service TCP_SSH TCP_SSH</SPAN></P><P class="p1"><SPAN class="s1">&nbsp; &nbsp; translate_hits = 568075, untranslate_hits = 587410</SPAN></P><P class="p1"><SPAN class="s1">5 (DMZ) to (outside) source static WEBSERVER IP_PUB_WEBSERVER &nbsp; service TCP_DNS TCP_DNS</SPAN></P><P class="p1"><SPAN class="s1">&nbsp; &nbsp; translate_hits = 6023, untranslate_hits = 29786</SPAN></P><P class="p1"><SPAN class="s1">6 (DMZ) to (outside) source static WEBSERVER IP_PUB_WEBSERVER &nbsp; service UDP_DNS UDP_DNS</SPAN></P><P class="p1"><SPAN class="s1">&nbsp; &nbsp; translate_hits = 261774, untranslate_hits = 573300</SPAN></P><P class="p1">&nbsp;</P><P class="p2">&nbsp;</P><P class="p1"><SPAN class="s1">Auto NAT Policies (Section 2)</SPAN></P><P class="p1">&nbsp;</P><P class="p1"><SPAN class="s1">10 (DMZ) to (outside) source dynamic DMZ-SUBNET interface &nbsp;</SPAN></P><P class="p1"><SPAN class="s1">&nbsp; &nbsp; translate_hits = 0, untranslate_hits = 0</SPAN></P><P class="p1">&nbsp;</P><P class="p1">&nbsp;</P><P class="p1">NOTE: I have hidden some info which is related to the traffic between the inside and outside which is OK.<BR /><BR />&nbsp;</P><P>Thank you very much!<BR />&nbsp;</P> Tue, 12 Mar 2019 06:30:36 GMT https://community.cisco.com/t5/network-security/cisco-asa-dmz-hosts-not-able-to-connect-to-internet/m-p/2729653#M192317 Paulo Colomes 2019-03-12T06:30:36Z https://community.cisco.com/t5/network-security/cisco-asa-dmz-hosts-not-able-to-connect-to-internet/m-p/2729654#M192318 <P>Hi,</P><P>Try this command to see what's blocking the traffic,</P><P>packet-tracer input DMZ icmp 10.0.0.1 8 0 8.8.8.8</P><P>&nbsp;</P><P>To see the actual packets you could try a packet capture:</P><P>&nbsp;access-list allowICMP extended permit icmp any any</P><P>capture temp interface outside access-list allowICMP</P><P>Traian</P><P>&nbsp;</P> Fri, 28 Aug 2015 07:03:34 GMT https://community.cisco.com/t5/network-security/cisco-asa-dmz-hosts-not-able-to-connect-to-internet/m-p/2729654#M192318 Traian Bratescu 2015-08-28T07:03:34Z https://community.cisco.com/t5/network-security/cisco-asa-dmz-hosts-not-able-to-connect-to-internet/m-p/2729655#M192319 <P>Hello, try to change the following:</P><P><SPAN style="font-family:courier new,courier,monospace;">no service-policy global_policy <U><STRONG>interface outside</STRONG></U></SPAN></P><P><SPAN style="font-family:courier new,courier,monospace;">service-policy global_policy <U><STRONG>global</STRONG></U></SPAN></P> Fri, 28 Aug 2015 07:21:25 GMT https://community.cisco.com/t5/network-security/cisco-asa-dmz-hosts-not-able-to-connect-to-internet/m-p/2729655#M192319 Boris Uskov 2015-08-28T07:21:25Z https://community.cisco.com/t5/network-security/cisco-asa-dmz-hosts-not-able-to-connect-to-internet/m-p/2729656#M192320 <P>Hi Boris. Thanks for that, it worked perfectly. &nbsp;Could you perhaps explain me why that command worked?&nbsp;</P> Fri, 28 Aug 2015 21:37:38 GMT https://community.cisco.com/t5/network-security/cisco-asa-dmz-hosts-not-able-to-connect-to-internet/m-p/2729656#M192320 Paulo Colomes 2015-08-28T21:37:38Z https://community.cisco.com/t5/network-security/cisco-asa-dmz-hosts-not-able-to-connect-to-internet/m-p/2729657#M192321 <P>Hello,&nbsp;</P><P>As a matter of fact, I was not 100% confident, that my advice would solve the problem so simply <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span><BR />That is because all your Access-lists on ASA were configured to permit ICMP traffic. But I know, that the "service-policy global_policy global" is the default configuration for ASAs and "service-policy global_policy <U><STRONG>outside</STRONG></U>" was a bit strange for me.<BR />I believe, that if you delete "service-policy global_policy global" from your configuration, ping will still be working, because ICMP is simply permitted in all ACLs.&nbsp;<BR />But if you have "service-policy global_policy" applied only to <U><STRONG>outside</STRONG></U> interface, it seems, that ASA is trying to create connections in conn-table and xlate-table only when the reply packets (e.g. ICMP ECHO-REPLYs) came from Internet to outside interface. And it seems, that despite the permitions in ACLs, this situation breaks some of ASAs internal logic in creating fast-pathes.</P> Sun, 30 Aug 2015 19:23:28 GMT https://community.cisco.com/t5/network-security/cisco-asa-dmz-hosts-not-able-to-connect-to-internet/m-p/2729657#M192321 Boris Uskov 2015-08-30T19:23:28Z