12-02-2011 11:07 AM - edited 03-11-2019 02:58 PM
I need a little help. I lost the ability for my Web server (or any servers in the DMZ) to access the Internet. However, the Web server is still being used fine from the Internet. Here is my config, any help would be appreciated.
ASA Version 8.4(2)
!
hostname xxxx
domain-name xxxxx
enable password xxxx encrypted
passwd xxxx encrypted
names
dns-guard
!
interface Ethernet0/0
speed 10
duplex full
nameif outside
security-level 0
ip address 69.xxx.xxx.82 255.255.255.240
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.1.0.2 255.255.0.0
!
interface Ethernet0/2
nameif dmz
security-level 80
ip address 172.16.1.1 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
boot system disk0:/asa842-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name xxxx
object network insidetoInternet
subnet 10.1.0.0 255.255.0.0
description Inside net to Internet connector
object network RemoteAccessServer
host 10.1.2.7
description Internal Terminal Server 3389
object network WebServer
host 172.16.1.10
description Web Server in DMZ
object network dmz-to-inside
subnet 172.16.1.0 255.255.255.0
description Route traffic DMZ and Inside
object network ExchangeServer
host 10.1.2.3
description Exchange (Mail) Server
object network NS1
host 172.16.1.11
description DNS Server in DMZ
object network NS2
host 172.16.1.12
description DNS Server in DMZ
object network inside-to-dmz
subnet 10.1.0.0 255.255.0.0
description Route traffic DMZ and Inside
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group network DM_INLINE_NETWORK_1
network-object object ExchangeServer
network-object object WebServer
object-group network DM_INLINE_NETWORK_2
network-object object NS1
network-object object NS2
access-list dmz_access_in extended permit tcp any object inside-to-dmz eq smtp
access-list outside_access_in extended permit tcp any object RemoteAccessServer eq 3389
access-list outside_access_in extended permit tcp any object-group DM_INLINE_NETWORK_1 eq www
access-list outside_access_in extended permit object-group TCPUDP any object-group DM_INLINE_NETWORK_2 eq domain
access-list outside_access_in extended permit tcp any object ExchangeServer eq 2883
access-list outside_access_in extended permit tcp any object ExchangeServer eq smtp
access-list outside_access_in extended permit tcp any object ExchangeServer eq https
access-list outside_access_in extended permit tcp any object ExchangeServer eq 8080
access-list outside_access_in extended permit tcp any object ExchangeServer eq 4343
access-list outside_access_in extended permit icmp any any inactive
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-645-206.bin
no asdm history enable
arp timeout 14400
nat (inside,dmz) source static inside-to-dmz inside-to-dmz destination static dmz-to-inside dmz-to-inside
!
object network insidetoInternet
nat (inside,outside) dynamic interface
object network RemoteAccessServer
nat (inside,outside) static 69.xxx.xxx.88
object network WebServer
nat (dmz,any) static 69.xxx.xxx.90
object network ExchangeServer
nat (inside,any) static 69.xxx.xxx.85
object network NS1
nat (dmz,any) static 69.xxx.xxx.91
object network NS2
nat (dmz,any) static 69.xxx.xxx.92
access-group outside_access_in in interface outside
access-group dmz_access_in in interface dmz
route outside 0.0.0.0 0.0.0.0 69.xxx.xxx.81 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
crypto ca trustpoint _SmartCallHome_ServerCA
crl configure
crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca 6ecc7aa5a7032009b8cebcf4e952d491
quit
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
!
threat-detection basic-threat
threat-detection scanning-threat shun duration 3600
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 10.1.2.3 source inside
webvpn
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
hpm topN enable
Cryptochecksum:xxxx
: end
[OK]
12-02-2011 11:14 AM
Hi Lon,
You have this access-list applied on your dmz interface:
access-list dmz_access_in extended permit tcp any object inside-to-dmz eq smtp
This would block your internet access, you need to add this:
access-list dmz_access_in extended permit tcp any any
Let me know how it goes.
Thanks,
Varun
12-02-2011 12:29 PM
Well... That does get me to the Internet. However I put that other in place so I could send email from an online form. It was connecting to our mail server on the inside.
12-02-2011 12:37 PM
Hi Lon,
If you have the tcp any any access-list you can remove the first one. Once you put an access-list on the dmz interface, then you would have to explicitly allow traffic even from higher interface to lower (which is dmz to outside).
Hope that helps,
Thanks,
Varun
Please do rate helpful posts.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide