Solved: No Internet from DMZ

itlklubos6 · ‎04-02-2013

Hi,

I am trying to configure DMZ on ASA 5505, basic license. After changes I have made I cannot access Internet from DMZ. I think I am missing an access list for DMZ, but I am not sure. Could someone please have a look at my test-config?

Thank you.

-----

interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
switchport access vlan 3
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 194.200.30.3 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 174.60.20.114 255.255.255.252
!
interface Vlan3
description Interface for testASA, DMZ level 50
no forward interface Vlan1
nameif DMZ50
security-level 50
ip address 30.30.30.1 255.255.255.0
!

object network obj_any
subnet 0.0.0.0 0.0.0.0

object network testASA
host 30.30.30.10

access-list OUTSIDE-IN extended permit tcp any object testASA eq www

object network obj_any
nat (inside,outside) dynamic interface

object network testASA
nat (DMZ50,outside) static interface no-proxy-arp service tcp www www
!
nat (inside,outside) after-auto source dynamic any interface

access-group OUTSIDE-IN in interface outside

route outside 0.0.0.0 0.0.0.0 174.60.20.113 1

http server enable
http 194.200.30.0 255.255.255.0 inside

dhcpd dns 84.89.344.18 84.89.344.19
dhcpd auto_config outside
!
dhcpd address 194.200.30.7-194.200.30.134 inside
dhcpd auto_config outside interface inside
dhcpd enable inside
!
dhcpd address 50.50.50.10-50.50.50.120 DMZ50
dhcpd dns 74.79.244.18 84.89.344.19 interface DMZ50
!

: end

Jouni Forss · ‎04-02-2013

Hi,

You dont seem to have a NAT configuration for the DMZ hosts

Try adding

object-group network DMZ-DEFAULT-PAT-SOURCE

network-object 30.30.30.0 255.255.255.0

nat (DMZ50,outside) after-auto source dynamic DMZ-DEFAULT-PAT-SOURCE interface

- Jouni

View solution in original post

Jouni Forss · ‎04-02-2013

Also,

I am not quite sure what these DHCP configurations are supposed to be?

dhcpd address 50.50.50.10-50.50.50.120 DMZ50

I guess you must have inserted some random IP addresses into the ASA configuration before you posted it? I dont think you should be able to configure a DHCP pool that is different from the actual interface IP address range/subnet

- Jouni

View solution in original post

Jouni Forss · ‎04-02-2013

Hi,

You dont seem to have a NAT configuration for the DMZ hosts

Try adding

object-group network DMZ-DEFAULT-PAT-SOURCE

network-object 30.30.30.0 255.255.255.0

nat (DMZ50,outside) after-auto source dynamic DMZ-DEFAULT-PAT-SOURCE interface

- Jouni

Jouni Forss · ‎04-02-2013

Also,

I am not quite sure what these DHCP configurations are supposed to be?

dhcpd address 50.50.50.10-50.50.50.120 DMZ50

I guess you must have inserted some random IP addresses into the ASA configuration before you posted it? I dont think you should be able to configure a DHCP pool that is different from the actual interface IP address range/subnet

- Jouni

itlklubos6 · ‎04-02-2013

Thank you for help, I will try it.

Yes, those addresses are leftovers from previous "experiments".

sahseth · ‎04-08-2013

Statement in configuration “dhcpd address 50.50.50.10-50.50.50.120 DMZ50” should be removed as DMZ50 is already running with different IP subnet 30.30.30.x/24.

Thanks.