Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4452
Views
0
Helpful
4
Replies

Host in DMZ cannot access the internet (ASA 5505)

Go to solution
dmendrin1
Level 1
Level 1

‎08-22-2014 12:41 PM - edited ‎03-11-2019 09:40 PM

I have an ASA 5505 configured with 3 interfaces, inside, outside and DMZ.  Everything seems to be working except for DMZ access to the internet.  What I want is for the DMZ to communicate to the inside network over port 1433, and the DMZ to communicate to the outside through port 80 and 443 only.  Packet-tracer shows that traffic is being allowed, but I am still unable to access the internet from the DMZ.  My ASA license is for an unrestricted DMZ.  What am I missing here?  Any help would be greatly appreciated.  Here is my running config:

 

: Saved

:

ASA Version 8.2(5)

!

hostname ciscoasa

enable password ZxfBfHJd/0y196hK encrypted

passwd WipvgyNLwa6OgUb9 encrypted

names

name xxx.xxx.xxx.xxx Outside_Public_IP

name yyy.yyy.yyy.yyy DMZ_Public_IP

name 192.168.1.5 SBS

name 192.168.1.6 Tower

name 192.168.1.102 Controller

name 172.16.1.10 DMZ_Server

!

interface Ethernet0/0

 switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

 switchport access vlan 3

!

interface Ethernet0/3

 shutdown

!

interface Ethernet0/4

 shutdown

!

interface Ethernet0/5

 shutdown

!

interface Ethernet0/6

 shutdown

!

interface Ethernet0/7

 shutdown

!

interface Vlan1

 nameif inside

 security-level 100

 ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

 nameif outside

 security-level 0

 ip address Outside_Public_IP 255.255.255.0

!

interface Vlan3

 nameif DMZ

 security-level 50

 ip address 172.16.1.1 255.255.255.0

!

ftp mode passive

clock timezone PST -8

clock summer-time PDT recurring

dns domain-lookup inside

dns server-group DefaultDNS

 name-server zzz.zzz.zzz.zzz

 name-server zzz.zzz.zzz.zzz

access-list DMZ_in extended permit tcp host DMZ_Server host Tower eq 1433

access-list DMZ_in permit tcp host DMZ_Server any eq 80

access-list outside_in extended permit tcp any host Outside_Public_IP eq smtp

access-list outside_in extended permit tcp any host Outside_Public_IP eq https

access-list outside_in extended permit tcp any host Outside_Public_IP eq 3389

access-list outside_in extended permit tcp any host Outside_Public_IP eq 3391

access-list outside_in extended permit tcp any host Outside_Public_IP eq 3392

access-list outside_in extended permit tcp any host DMZ_Public_IP eq www

access-list outside_in extended permit tcp any host DMZ_Public_IP eq https

access-list outside_in extended deny ip any any log

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu DMZ 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

nat (DMZ) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp interface smtp SBS smtp netmask 255.255.255.255

static (inside,outside) tcp interface https SBS https netmask 255.255.255.255

static (inside,outside) tcp interface 3389 SBS 3389 netmask 255.255.255.255

static (inside,outside) tcp interface 3391 Controller 3391 netmask 255.255.255.255

static (inside,outside) tcp interface 3392 Tower 3392 netmask 255.255.255.255

static (inside,DMZ) Tower Tower netmask 255.255.255.255

static (DMZ,outside) DMZ_Public_IP DMZ_Server netmask 255.255.255.255

access-group outside_in in interface outside

access-group DMZ_in in interface DMZ

route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xyz 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet 192.168.1.0 255.255.255.0 inside

telnet timeout 30

ssh timeout 5

console timeout 0

 

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

!

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

 parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect ip-options

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip

  inspect xdmcp

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:077c810e608e5d0e7b455ba859c5eb7b

: end

 

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
nkarthikeyan
Level 7
Level 7

‎08-25-2014 06:31 AM

Hi,

 

If you access http site then it will respond.... because you have allowed only http site and also you do not have the DNS allowed here for domain name resolution.... you have to allow the dns server which you configure for your host in dmz_in acl.

 

Regards

Karthik

View solution in original post

0 Helpful
4 Replies 4

Go to solution
nspasov
Cisco Employee
Cisco Employee

‎08-24-2014 01:02 PM

Can you post a cli output of your packet-tracer? Also, I assume that you cannot browse to the internet but what about a ping from the dmz interface to a public IP such as 4.2.2.2?

0 Helpful

Go to solution
Saqib Raza
Level 1
Level 1

‎08-25-2014 06:22 AM

do you have logging on?  what is the log output you see when you try to initiate connection from DMZ to inside?  

if you can asdm into ASA and see the real time logging you will see if ASA is dropping packets and for what reason.

0 Helpful

Go to solution
nkarthikeyan
Level 7
Level 7

‎08-25-2014 06:31 AM

Hi,

 

If you access http site then it will respond.... because you have allowed only http site and also you do not have the DNS allowed here for domain name resolution.... you have to allow the dns server which you configure for your host in dmz_in acl.

 

Regards

Karthik

0 Helpful

Go to solution
dmendrin1
Level 1
Level 1
In response to nkarthikeyan

‎08-25-2014 10:30 AM

Adding port 53 access to my dns servers on the DMZ_in acl did the trick.  Thank you.

And a thanks to the others who gave suggestions as well.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card