Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
439
Views
0
Helpful
2
Replies

DMZ to outside Cisco ASA 5505

Go to solution
ChristopheVL
Level 1
Level 1

‎01-07-2015 06:35 AM - edited ‎03-11-2019 10:18 PM

Hi,

 

i have problem configuring DMZ to access outside.

I'm not able to ping from DMZ network to DMZ interface (gateway) neither am i able to contact the internet with DMZ hosts

I'm able to ping from LAN to LAN gateway (inspect ICMP service policy)

 

interface Vlan1
 nameif inside
 security-level 100
 ip address 10.1.1.254 255.0.0.0
!
interface Vlan2
 description Connection to Internet
 nameif outside
 security-level 0
 pppoe client vpdn group Dial_Belgacom
 ip address pppoe setroute
!
interface Vlan12
 description DMZ
 nameif DMZ
 security-level 50
 ip address 172.20.1.254 255.255.255.0

 

access-list DMZ_access_in extended permit ip object NetworkDMZ any
access-list DMZ_access_in extended deny ip object NetworkDMZ any


object network in-out
 nat (inside,outside) dynamic interface
object network DMZ-Out
 nat (DMZ,outside) dynamic interface


access-group inside_access_in in interface inside
access-group DMZ_access_in in interface DMZ

 

NAT rules

 

Thanks,

Christophe

 

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marius Gunnerud
VIP
VIP

‎01-07-2015 10:53 AM

Do you have the security plus license installed?

Are using a single ASA interface? if so, is that port configured to be a trunk?

Have you tried a shut / no shut on the DMZ interface?

Have you tried removing the configuration from the DMZ interface and re adding it?

Have you made 100% sure that the IP you are testing from in the DMZ network is within the subnet 172.20.1.0/24?

What is between the ASA and the test PC? (switch, L3 switch, router...etc.)

If you configure a port on the ASA to be in vlan 12 and connect a PC directly to that port, do you get a successful test?

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Marius Gunnerud
VIP
VIP

‎01-07-2015 10:53 AM

Do you have the security plus license installed?

Are using a single ASA interface? if so, is that port configured to be a trunk?

Have you tried a shut / no shut on the DMZ interface?

Have you tried removing the configuration from the DMZ interface and re adding it?

Have you made 100% sure that the IP you are testing from in the DMZ network is within the subnet 172.20.1.0/24?

What is between the ASA and the test PC? (switch, L3 switch, router...etc.)

If you configure a port on the ASA to be in vlan 12 and connect a PC directly to that port, do you get a successful test?

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
ChristopheVL
Level 1
Level 1

‎01-08-2015 12:45 PM

Hi Marius,

 

Thanks for your fast reply.

The problem was that the DMZ interface was in access mode and not trunk.

 

Thanks for the help

Christophe

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card