Re: DMZ can not access the internet, but inside can.

Incognito1971 · ‎08-22-2013

Can someone shed some light on this? This is the first time that I have ever worked with a Cisco device and it is showing. From tutorials, I have my inside accessing the internet and a couple of webservers are accessible from the outside. If you are in Michigan, I'll take you salmon fishing.

My 3 servers on my DMZ vlan can ping each other, but can not ping interface 172.28.0.5. I have checked that the DMZ VLAN is setup between the servers and the asa 5515 firewall.

Inside computers also can not ping the dmz interface 172.28.0.5, but they can ping the inside interface 192.168.7.165

Here is my config:

interface GigabitEthernet0/0

nameif Inside

security-level 100

ip address 192.168.7.165 255.255.248.0

!

interface GigabitEthernet0/1

description Wireless

nameif Wireless

security-level 75

ip address 10.59.0.1 255.255.0.0

!

interface GigabitEthernet0/2

description Perimeter

nameif DMZ

security-level 50

ip address 172.28.0.5 255.255.255.224

!

interface GigabitEthernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/4

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/5

nameif Outside

security-level 0

ip address 38.65.225.1 255.255.252.0

!

interface Management0/0

management-only

nameif management

security-level 100

ip address 192.168.10.1 255.255.255.0

!

boot system disk0:/asa912-smp-k8.bin

boot system disk0:/asa901-smp-k8.bin

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns server-group DefaultDNS

domain-name Westshore.edu

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network OBJ_GENERIC_ALL

subnet 0.0.0.0 0.0.0.0

object network WWW_webserver

host 192.168.0.68

description Cascade

object network Direct_Access

host 192.168.7.162

description WSCC-S-004014

object network Camtasia

host 192.168.0.204

description WSCC-S-003050

object-group network PAT-SOURCE

description PAT Source Networks

network-object 192.168.0.0 255.255.248.0

object-group service DM_INLINE_TCP_1 tcp

port-object eq www

port-object eq https

access-list OUTSIDE-IN remark WSCC-S-003056

access-list OUTSIDE-IN extended permit tcp any object WWW_webserver object-group DM_INLINE_TCP_1

access-list OUTSIDE-IN remark WSCC-S-004014

access-list OUTSIDE-IN extended permit ip any object Direct_Access

access-list OUTSIDE-IN remark WSCC-S-003050

access-list OUTSIDE-IN extended permit tcp any object Camtasia eq https

pager lines 24

logging enable

logging asdm informational

mtu Inside 1500

mtu Wireless 1500

mtu DMZ 1500

mtu Outside 1500

mtu management 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp permit any Outside

asdm image disk0:/asdm-713.bin

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

nat (DMZ,Outside) source dynamic OBJ_GENERIC_ALL interface

nat (Inside,Outside) source dynamic OBJ_GENERIC_ALL interface

!

object network WWW_webserver

nat (Inside,Outside) static 38.65.225.60

object network Direct_Access

nat (any,any) static 38.65.225.10

object network Camtasia

nat (any,any) static 38.65.225.61

access-group OUTSIDE-IN in interface Outside

route Outside 0.0.0.0 0.0.0.0 38.65.224.1 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

http server enable

http 192.168.10.0 255.255.255.0 management

http 192.168.2.152 255.255.255.252 Inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec security-association pmtu-aging infinite

crypto ca trustpool policy

telnet 192.168.2.152 255.255.255.255 Inside

telnet timeout 5

ssh timeout 5

ssh key-exchange group dh-group1-sha1

console timeout 0

management-access Inside

dhcpd address 192.168.10.2-192.168.10.254 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:43ed98e7cc98d6cb0441da263c23a167

: end

asdm image disk0:/asdm-713.bin

no asdm history enable

Marius Gunnerud · ‎08-22-2013

You may have to permit ping on the DMZ interface.

icmp permit any DMZ

--
Please remember to select a correct answer and rate helpful posts

Marius Gunnerud · ‎08-22-2013

Also Please run the packet tracer and post the output here.

packet-tracer input inside tcp host 192.168.7.16 4444 host 172.28.0.10 80 detail

--
Please remember to select a correct answer and rate helpful posts

Incognito1971 · ‎08-22-2013

9 Hours of work... the port connected to the firewall needed to be untagged on vlan 4 instead of tagged.

I might have to sign up for truck driving school. See the country, decent pay, and great benefits...

Thank you Marius, that command will come in handy.