05-19-2010 02:20 AM - edited 03-11-2019 10:47 AM
Hi guys,
I have looked over my config and gone through several cisco helpsheets, I still cannot access the outside from "inside" the dmz. Here is an overview of what I can and cannot do.
OUTSIDE >>> DMZ = OK
INSIDE >>>>> DMZ = OK
DMZ >>>>>>> INSIDE = OK
DMZ >>>>>>> OUTSIDE = FAIL.
What I need to do is to be able to access an external SMTP server from the DMZ. If I telnet pt 25 to an "OUTSIDE" server it fails. If I do it to my "INSIDE" server it works.
Here are the relevant sections of the config. I assume I have missed something stupid and have looked over it too many times and need some fresh eyes.
Many thanks for your help.
Dan.
interface Vlan1
nameif inside
security-level 100
ip address 192.168.0.20 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 99.99.99.99 255.255.255.248
!
interface Vlan3
nameif dmz
security-level 50
ip address 10.30.30.1 255.255.255.0
!
ftp mode passive
dns server-group DefaultDNS
domain-name cheese
access-list services extended permit tcp any host 99.99.99.98 eq www
access-list inside extended permit tcp host 10.30.30.30 any eq smtp
access-list inside extended permit ip any any
access-list dmz-in extended permit udp host 10.30.30.30 host 192.168.0.10 eq domain
access-list dmz-in extended permit tcp host 10.30.30.30 host 192.168.0.10 eq 88
access-list dmz-in extended permit udp host 10.30.30.30 host 192.168.0.10 eq 389
access-list dmz-in extended permit ip any any
access-list dmz-in extended permit icmp any any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 10.30.30.0 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0
static (dmz,outside) tcp 99.99.99.98 www 10.30.30.30 www netmask 255.255.255.255
static (inside,dmz) 10.30.30.30 192.168.0.111 netmask 255.255.255.255
static (inside,dmz) 192.168.0.0 192.168.0.0 netmask 255.255.255.0
access-group inside in interface inside
access-group services in interface outside
access-group dmz-in in interface dmz
route inside 10.1.0.0 255.255.0.0 192.168.0.250 1
route outside 0.0.0.0 0.0.0.0 99.99.99.99 1
Solved! Go to Solution.
05-19-2010 02:24 AM
Add the following statement and you should have access to the outside from dmz:
no nat (inside) 1 10.30.30.0 255.255.255.0
nat (dmz) 1 10.30.30.0 255.255.255.0
"clear xlate" after the above changes, and dmz should have access to the internet.
Hope that helps.
05-19-2010 02:24 AM
Add the following statement and you should have access to the outside from dmz:
no nat (inside) 1 10.30.30.0 255.255.255.0
nat (dmz) 1 10.30.30.0 255.255.255.0
"clear xlate" after the above changes, and dmz should have access to the internet.
Hope that helps.
05-19-2010 02:28 AM
You are awesome,
Thanks very much, works great. Think I need to brush up on DMZ setups.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide