https://community.cisco.com/t5/network-security/dmz-unable-to-access-the-internet/m-p/1458666#M654945 <HTML><HEAD></HEAD><BODY><P>If you are testing with ping, please make sure that icmp inspection has been turned on/enabled.</P><P></P><P>If you are using the default policy map on the ASA, the configuration will be as follows:</P><P>policy-map global_policy<BR /> class inspection_default</P><P>&nbsp;&nbsp;&nbsp;&nbsp; inspect icmp</P><P></P><P>Hope that helps.</P></BODY></HTML> Fri, 02 Jul 2010 22:52:08 GMT Jennifer Halim 2010-07-02T22:52:08Z https://community.cisco.com/t5/network-security/dmz-unable-to-access-the-internet/m-p/1458664#M654943 <P>I have DMZ interface with 192.168.1.0\24with the following config on the firewall:</P><P></P><P></P><P>nat (dmz) 2 192.168.1.0 255.255.255.0</P><P>global (outside) 2 &lt;publicIP&gt;</P><P></P><P>the dmz interface on the firewall is 192.168.1.1 and it can ping all dmz servers, so routing is not the issue</P><P></P><P>and no access-group for the dmz interface.</P><P></P><P>yet dmz servers are unable to access the internet.</P><P></P><P>is there anything missing in this config?</P><P>when I run a capture I see the traffic hitting the dmz interface yet nothing coming back, ie:</P><P></P><P>158: 06:27:07.126000 192.168.1.13 &gt; 4.2.2.2: icmp: echo request<BR /> 159: 06:27:12.625822 192.168.1.13 &gt; 4.2.2.2: icmp: echo request<BR /> 160: 06:27:18.125771 192.168.1.13 &gt; 4.2.2.2: icmp: echo request<BR /> 161: 06:27:23.625639 192.168.1.13 &gt; 4.2.2.2: icmp: echo request<BR /> 162: 06:27:29.125573 192.168.1.13 &gt; 4.2.2.2: icmp: echo request</P> Mon, 11 Mar 2019 18:07:04 GMT https://community.cisco.com/t5/network-security/dmz-unable-to-access-the-internet/m-p/1458664#M654943 ronshuster 2019-03-11T18:07:04Z https://community.cisco.com/t5/network-security/dmz-unable-to-access-the-internet/m-p/1458665#M654944 <HTML><HEAD></HEAD><BODY><P>Looks good from my point.</P><P></P><P>Please check the security lvl of your interfaces.</P><P>Maybe you need to assign a higher security lvl to your DMZ interface</P><P></P><P></P><P>HTH (if so please rate <SPAN __jive_emoticon_name="wink" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/images/emoticons/wink.gif"></SPAN> )</P><P>cheers Michael</P></BODY></HTML> Fri, 02 Jul 2010 20:14:32 GMT https://community.cisco.com/t5/network-security/dmz-unable-to-access-the-internet/m-p/1458665#M654944 Michael Dombek 2010-07-02T20:14:32Z https://community.cisco.com/t5/network-security/dmz-unable-to-access-the-internet/m-p/1458666#M654945 <HTML><HEAD></HEAD><BODY><P>If you are testing with ping, please make sure that icmp inspection has been turned on/enabled.</P><P></P><P>If you are using the default policy map on the ASA, the configuration will be as follows:</P><P>policy-map global_policy<BR /> class inspection_default</P><P>&nbsp;&nbsp;&nbsp;&nbsp; inspect icmp</P><P></P><P>Hope that helps.</P></BODY></HTML> Fri, 02 Jul 2010 22:52:08 GMT https://community.cisco.com/t5/network-security/dmz-unable-to-access-the-internet/m-p/1458666#M654945 Jennifer Halim 2010-07-02T22:52:08Z https://community.cisco.com/t5/network-security/dmz-unable-to-access-the-internet/m-p/1458667#M654946 <HTML><HEAD></HEAD><BODY><P>Have you enabled ICMP traffic on the outside interface of the firewall? If no, please try "icmp permit any outside". Also, which firewall you are using? Is it 5505? If it is 5505, you might have license limitations.</P></BODY></HTML> Tue, 06 Jul 2010 04:48:09 GMT https://community.cisco.com/t5/network-security/dmz-unable-to-access-the-internet/m-p/1458667#M654946 Nagaraja Thanthry 2010-07-06T04:48:09Z