That's what I figured too, and I did get rid of the nat command for the dmz.. no luck. I also hardcoded the dns servers for our t1 into the dmz machines but still nothing. Strange

edit: I did fail to mention that these static translations both go to the same server. I have two dmz ip's on the same server - One runs the website, the other runs ftp:

30.30.30.50 maps to 69.x.x.1

30.30.30.51 maps to 69.x.x.2

Maybe the server doesn't know which public IP it should use to get out and see the web?

Update: The dmz machines can access the web if I add the line "access-list fromDMZ permit ip host dmzserver1 any" The problem is that gives the dmz machines access to all ports on the inside which isn't secure at all. What other options do I have?

"access-list fromDMZ permit ip host dmzserver1 any" will not open up all ports on your internal network as long as you remove "static (inside,dmz) 10.0.2.0 10.0.2.0 netmask 255.255.255.0 0 0." To move from a lower security level to higher security level, you must have an access-list permitting it and a static nat. According to your current setup, devices on the dmz will have http access to any device in your internal network.

I would try to lockdown my dmz access-list to allow only the host to access to the web - and limit those "any any" statements if possible. If you have internal web servers that need to be accessed from the dmz use one-to-one static nat translations. Such as, static (inside, dmz) 10.0.2.1 10.0.2.1 netmask 255.255.255.255 0 0 instead of opening your entire internal network.

Hope this helps.

Thanks for your post airoberts: This helps but since my previous post this pix has gone from a test to a live environment now so I need to make sure I get this command right. I left out a few lines from my earlier post that show that I am giving sql access from the dmz webserver to an inside sql database. Everything is working great now aside from giving the dmz machine access to the internet/web. Can you take another look at my current config and give me an example of what command to add/take away that will make this happen w/o changing my current config too much? Thanks!

name 30.30.30.50 server1

name 30.30.30.51 server2

access-list 101 permit ip 10.0.2.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list 110 permit ip 10.0.2.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list outsidein permit tcp any host 70.x.x.39 eq www

access-list outsidein permit tcp any host 70.x.x.38 eq ftp

access-list fromDMZ permit icmp any any

access-list fromDMZ permit tcp host server1 10.0.2.0 255.255.255.0 eq 1433

access-list fromDMZ permit udp host server1 10.0.2.0 255.255.255.0 eq 1434

access-list fromDMZ permit tcp any any eq www

nat (inside) 0 access-list 101

nat (inside) 10 10.0.2.0 255.255.255.0 0 0

static (inside,dmz) 10.0.2.0 10.0.2.0 netmask 255.255.255.0 0 0

static (dmz,outside) 70.x.x.39 fyitv06 netmask 255.255.255.255 0 0

static (dmz,outside) 70.x.x.38 fyitv06-1 netmask 255.255.255.255 0 0

access-group outsidein in interface outside

access-group fromDMZ in interface dmz

One more interesting note to add.. I still couldn't get access the web from the dmz machine with the above config, but then I tried to just enter the IP of yahoo.com and the page started to come up.. so apparently dns is getting blocked somewhere along the way. I added the line "access-list fromDMZ permit tcp any any eq 53", thinking that this would allow dns, but it did nothing for me.

--hag

Bingo.. that did it.. Opening ports 80 (tcp) and 53 (udp and tcp) enabled the dmz machines to access the web. Thanks for the suggestion csoans, I really appreciate it.. Going back to a previous post in this thread though, is it a bad idea for me to be giving this dmz machine web access? I mean after all it is in the dmz for a reason and already somewhat exposed.

--hag