cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
928
Views
0
Helpful
4
Replies

Cannot access internet from DMZ

aparikh
Level 1
Level 1

ASA 5520 8.0(5)

I want guest AP users in DMZ  to browser thru dmz controller. User is receiveing IP address (172.17.0.1) from WLAN controller and can ping 172.17.1.254 &192.168.1.225, but cannot ping 4.2.2.1.  Even controller (192.168.1.225) cannot ping 4.2.2.1.   Following is the config

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address 1.1.1.1 255.255.255.0

!

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address 10.1.1.1 255.255.255.0 

!

interface GigabitEthernet0/2

description DMZ Physical Interface

nameif dmz

security-level 10

ip address 192.168.1.1 255.255.255.0

access-group outside_acl in interface outside

access-group inside_acl in interface inside

access-group dmz_in in interface dmz

route outside 0.0.0.0 0.0.0.0 1.1.1.1 1

route inside 10.0.0.0 255.0.0.0 10.1.1.1 1

global (outside) 1 interface

global (dmz) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

nat (dmz) 2 172.17.0.0 255.255.254.0

nat (dmz) 1 0.0.0.0 0.0.0.0

access-list outside_acl extended permit ip any host 1.1.1.225

static (dmz,outside) 1.1.1.225 192.168.1.225 netmask 255.255.255.255

access-list outside_acl extended permit ip any 172.17.0.0 255.255.254.0

access-list dmz_in extended permit ip host 192.168.1.225 172.17.0.0 255.255.254.0

access-list dmz_in extended permit ip host 192.168.1.225 172.17.0.0 255.255.254.0

policy-map global_policy

class inspection_default

    inspect icmp

INET-FW(config)# packet-tracer input dmz icmp 172.17.0.255 8 0 4.2.2.1

Phase: 1

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   0.0.0.0         0.0.0.0         outside

Phase: 3

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Result:

input-interface: dmz

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

1 Accepted Solution

Accepted Solutions

Hi,

Why is the network routed towards the ASAs interface IP address?

Can you provide a "packet-tracer" for a source address in the network 172.17.0.0/23 towards some external IP.

- Jouni

View solution in original post

4 Replies 4

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

The configurations you have posted above dont include any route for the network 172.17.0.0/23

Also the ACL for the DMZ doesnt allow the traffic from this network or the directly connected network.

- Jouni

I added  & it is not working

route dmz 172.17.0.0 255.255.254.0 192.168.1.1 1

access-list outside_acl extended permit ip any 172.17.0.0 255.255.254.0

access-list outside_acl extended permit ip 172.17.0.0 255.255.254.0 any

access-list dmz_in extended permit ip host 192.168.1.225 172.17.0.0 255.255.254.0

access-list dmz_in extended permit ip 172.17.0.0 255.255.254.0 any

Hi,

Why is the network routed towards the ASAs interface IP address?

Can you provide a "packet-tracer" for a source address in the network 172.17.0.0/23 towards some external IP.

- Jouni

It is working after adding route dmz 172.17.0.0 & removing nat (dmz) 2 172.17.0.0

Thanks

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: