Cannot access outside from dmz, ASA 5505.

danparsons — Mon, 11 Mar 2019 17:47:54 GMT

Hi guys,

I have looked over my config and gone through several cisco helpsheets, I still cannot access the outside from "inside" the dmz. Here is an overview of what I can and cannot do.

OUTSIDE >>> DMZ = OK

INSIDE >>>>> DMZ = OK

DMZ >>>>>>> INSIDE = OK

DMZ >>>>>>> OUTSIDE = FAIL.

What I need to do is to be able to access an external SMTP server from the DMZ. If I telnet pt 25 to an "OUTSIDE" server it fails. If I do it to my "INSIDE" server it works.

Here are the relevant sections of the config. I assume I have missed something stupid and have looked over it too many times and need some fresh eyes.

Many thanks for your help.

Dan.

interface Vlan1
nameif inside
security-level 100
ip address 192.168.0.20 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 99.99.99.99 255.255.255.248
!
interface Vlan3
nameif dmz
security-level 50
ip address 10.30.30.1 255.255.255.0
!

ftp mode passive
dns server-group DefaultDNS
domain-name cheese
access-list services extended permit tcp any host 99.99.99.98 eq www
access-list inside extended permit tcp host 10.30.30.30 any eq smtp
access-list inside extended permit ip any any
access-list dmz-in extended permit udp host 10.30.30.30 host 192.168.0.10 eq domain
access-list dmz-in extended permit tcp host 10.30.30.30 host 192.168.0.10 eq 88
access-list dmz-in extended permit udp host 10.30.30.30 host 192.168.0.10 eq 389
access-list dmz-in extended permit ip any any
access-list dmz-in extended permit icmp any any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 10.30.30.0 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0
static (dmz,outside) tcp 99.99.99.98 www 10.30.30.30 www netmask 255.255.255.255
static (inside,dmz) 10.30.30.30 192.168.0.111 netmask 255.255.255.255
static (inside,dmz) 192.168.0.0 192.168.0.0 netmask 255.255.255.0
access-group inside in interface inside
access-group services in interface outside
access-group dmz-in in interface dmz
route inside 10.1.0.0 255.255.0.0 192.168.0.250 1
route outside 0.0.0.0 0.0.0.0 99.99.99.99 1

Re: Cannot access outside from dmz, ASA 5505.

Jennifer Halim — Wed, 19 May 2010 09:24:56 GMT

Add the following statement and you should have access to the outside from dmz:

no nat (inside) 1 10.30.30.0 255.255.255.0

nat (dmz) 1 10.30.30.0 255.255.255.0

"clear xlate" after the above changes, and dmz should have access to the internet.

Hope that helps.

Re: Cannot access outside from dmz, ASA 5505.

danparsons — Wed, 19 May 2010 09:28:45 GMT

You are awesome,

Thanks very much, works great. Think I need to brush up on DMZ setups.

topic Re: Cannot access outside from dmz, ASA 5505. in Network Security

Cannot access outside from dmz, ASA 5505.

Re: Cannot access outside from dmz, ASA 5505.

Re: Cannot access outside from dmz, ASA 5505.