cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1551
Views
0
Helpful
3
Replies

ASA 5510 8.4 DMZ cannot access Internet

Lon
Level 1
Level 1

I need a little help.  I lost the ability for my Web server (or any servers in the DMZ) to access the Internet. However, the Web server is still being used fine from the Internet. Here is my config, any help would be appreciated.

ASA Version 8.4(2)

!

hostname xxxx

domain-name xxxxx

enable password xxxx encrypted

passwd xxxx encrypted

names

dns-guard

!

interface Ethernet0/0

speed 10

duplex full

nameif outside

security-level 0

ip address 69.xxx.xxx.82 255.255.255.240

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 10.1.0.2 255.255.0.0

!

interface Ethernet0/2

nameif dmz

security-level 80

ip address 172.16.1.1 255.255.255.0

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

boot system disk0:/asa842-k8.bin

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns server-group DefaultDNS

domain-name xxxx

object network insidetoInternet

subnet 10.1.0.0 255.255.0.0

description Inside net to Internet connector

object network RemoteAccessServer

host 10.1.2.7

description Internal Terminal Server 3389

object network WebServer

host 172.16.1.10

description Web Server in DMZ

object network dmz-to-inside

subnet 172.16.1.0 255.255.255.0

description Route traffic DMZ and Inside

object network ExchangeServer

host 10.1.2.3

description Exchange (Mail) Server

object network NS1

host 172.16.1.11

description DNS Server in DMZ

object network NS2

host 172.16.1.12

description DNS Server in DMZ

object network inside-to-dmz

subnet 10.1.0.0 255.255.0.0

description Route traffic DMZ and Inside

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

object-group network DM_INLINE_NETWORK_1

network-object object ExchangeServer

network-object object WebServer

object-group network DM_INLINE_NETWORK_2

network-object object NS1

network-object object NS2

access-list dmz_access_in extended permit tcp any object inside-to-dmz eq smtp

access-list outside_access_in extended permit tcp any object RemoteAccessServer eq 3389

access-list outside_access_in extended permit tcp any object-group DM_INLINE_NETWORK_1 eq www

access-list outside_access_in extended permit object-group TCPUDP any object-group DM_INLINE_NETWORK_2 eq domain

access-list outside_access_in extended permit tcp any object ExchangeServer eq 2883

access-list outside_access_in extended permit tcp any object ExchangeServer eq smtp

access-list outside_access_in extended permit tcp any object ExchangeServer eq https

access-list outside_access_in extended permit tcp any object ExchangeServer eq 8080

access-list outside_access_in extended permit tcp any object ExchangeServer eq 4343

access-list outside_access_in extended permit icmp any any inactive

pager lines 24

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu dmz 1500

mtu management 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-645-206.bin

no asdm history enable

arp timeout 14400

nat (inside,dmz) source static inside-to-dmz inside-to-dmz destination static dmz-to-inside dmz-to-inside

!

object network insidetoInternet

nat (inside,outside) dynamic interface

object network RemoteAccessServer

nat (inside,outside) static 69.xxx.xxx.88

object network WebServer

nat (dmz,any) static 69.xxx.xxx.90

object network ExchangeServer

nat (inside,any) static 69.xxx.xxx.85

object network NS1

nat (dmz,any) static 69.xxx.xxx.91

object network NS2

nat (dmz,any) static 69.xxx.xxx.92

access-group outside_access_in in interface outside

access-group dmz_access_in in interface dmz

route outside 0.0.0.0 0.0.0.0 69.xxx.xxx.81 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

http server enable

http 192.168.1.0 255.255.255.0 management

http 0.0.0.0 0.0.0.0 inside

no snmp-server location

no snmp-server contact

crypto ca trustpoint _SmartCallHome_ServerCA

crl configure

crypto ca certificate chain _SmartCallHome_ServerCA

certificate ca 6ecc7aa5a7032009b8cebcf4e952d491

quit

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.2-192.168.1.254 management

!

threat-detection basic-threat

threat-detection scanning-threat shun duration 3600

threat-detection statistics

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

ntp server 10.1.2.3 source inside

webvpn

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map global_policy

class inspection_default

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

inspect icmp

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

no active

destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

destination address email callhome@cisco.com

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly

subscribe-to-alert-group configuration periodic monthly

subscribe-to-alert-group telemetry periodic daily

hpm topN enable

Cryptochecksum:xxxx

: end

[OK]

3 Replies 3

varrao
Level 10
Level 10

Hi Lon,

You have this access-list applied on your dmz interface:

access-list dmz_access_in extended permit tcp any object inside-to-dmz eq smtp

This would block your internet access, you need to add this:

access-list dmz_access_in extended permit tcp any any

Let me know how it goes.

Thanks,

Varun

Thanks,
Varun Rao

Well...  That does get me to the Internet.  However I put that other in place so I could send email from an online form.  It was connecting to our mail server on the inside.

Hi Lon,

If you have the tcp any any access-list you can remove the first one. Once you put an access-list on the dmz interface, then you would have to explicitly allow traffic even from higher interface to lower (which is dmz to outside).

Hope that helps,

Thanks,

Varun

Please do rate helpful posts.

Thanks,
Varun Rao
Review Cisco Networking for a $25 gift card