Cannot access outside from dmz, ASA 5505

keithtuttle · ‎08-08-2012

I am not able to get to the internet from my DMZ ip address.

Here is my config.

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

switchport access vlan 3

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 10.10.39.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute

!

interface Vlan3

no forward interface Vlan1

nameif DMZ

security-level 50

ip address 172.16.4.1 255.255.255.0

!

ftp mode passive

dns server-group DefaultDNS

domain-name enerfab.com

pager lines 24

mtu inside 1500

mtu outside 1500

mtu DMZ 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

nat (DMZ) 1 172.16.4.0 255.255.255.0

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

aaa authentication enable console LOCAL

aaa authentication telnet console LOCAL

http server enable

http 192.168.0.0 255.255.0.0 inside

http 10.10.39.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto isakmp policy 65535

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 inside

ssh 10.10.0.0 255.255.0.0 inside

ssh timeout 5

console timeout 0

management-access inside

dhcpd dns 192.168.10.20 192.168.10.21

dhcpd auto_config outside

dhcpd option 150 ip 192.168.0.151

!

dhcpd address 10.10.39.71-10.10.39.132 inside

dhcpd enable inside

!

dhcpd address 172.16.4.50-172.16.4.58 DMZ

dhcpd enable DMZ

!

vpnclient server XXX>XXX>XXX>XX

vpnclient mode network-extension-mode

vpnclient nem-st-autoconnect

vpnclient vpngroup name_EZVPN password ********

vpnclient username name password *******

vpnclient enable

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

no tunnel-group-map enable peer-ip

!

class-map inspection_default

match default-inspection-traffic

Thanks in advance.

Maykol Rojas · ‎08-12-2012

Keith,

Are the clients on the DMZ receiving addresses correctly? When they have an address, can they ping their default gateway? Can you do

packet-tracer input DMZ icmp 172.16.4.51 8 0 4.2.2.2

Do you have the logs of the firewall? Can you try to access the websites using their IP addresses instead of the FQDN?

Mike

zujalal · ‎08-12-2012

Is Internet access working from the inside? I dont see a default route configured in the config above.

Zubair

communication.boy · ‎08-12-2012

As zubair said its about the default route , it should be

route outside 0 0 (ip address of next hop)

Maykol Rojas · ‎08-12-2012

I think this should take care of it:

interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute

Thats why you dont see it configured.

Mike