Cisco ASA-5505 DMZ to Inside Network access and Outside to DMZ access

Here is another posting of the configuration to reflect an unsucessful attempt to have exterior http requests from the ADSL interface route to a host in the DMZ network.


-------



: Saved
:
ASA Version 8.0(3)
!
hostname CASA
domain-name CLIENT.local
enable password CCXOXOXOXOXOJi encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.50.1 255.255.255.0
 ospf cost 10
!
interface Vlan2
 backup interface Vlan13
 nameif ADSL
 security-level 50
 pppoe client vpdn group myisp.net
 pppoe client route track 1
 ip address pppoe setroute
 ospf cost 10
!
interface Vlan3
 nameif dmz  
 security-level 80
 ip address 192.168.150.1 255.255.255.0
 ospf cost 10
!
interface Vlan13
 nameif Backup
 security-level 50
 dhcp client route distance 5
 dhcp client route track 2
 ip address dhcp setroute
 ospf cost 10
 ospf priority 222
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
 switchport access vlan 13
!
interface Ethernet0/2
!
interface Ethernet0/3
 switchport access vlan 3
!            
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
 switchport access vlan 3
!
passwd CCetPkc1IRraFqJi encrypted
banner login Authorized Access Only - Disconnect if you are not an authorized user
boot system disk0:/asa803-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns domain-lookup ADSL
dns domain-lookup dmz
dns domain-lookup Backup
dns server-group DefaultDNS
 name-server 4.2.2.1
 name-server 199.72.1.1
 name-server 205.152.144.23
 domain-name CLIENT.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service DM_INLINE_SERVICE_1
 service-object tcp eq www
 service-object udp eq www
access-list inside_nat0_outbound extended permit ip any 192.168.75.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 192.168.50.0 255.255.255.0
access-list Local_LAN_Access remark VPN Client Local LAN Access
access-list Local_LAN_Access2 extended permit ip 192.168.50.0 255.255.255.0 192.168.75.0 255.255.255.0
access-list ADSL_access_in remark Allow HTTP
access-list ADSL_access_in extended permit object-group DM_INLINE_SERVICE_1 any 192.168.150.0 255.255.255.0
pager lines 24
logging enable
logging asdm warnings
logging from-address CiscoASA@myisp.net
mtu inside 1500
mtu ADSL 1500
mtu dmz 1500
mtu Backup 1500
ip local pool VPN_IP_Pool 192.168.75.2-192.168.75.200 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any ADSL
icmp permit any dmz
icmp permit any Backup
asdm image disk0:/asdm-603.bin
asdm history enable
arp timeout 14400
nat-control
global (ADSL) 1 interface
global (Backup) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 192.168.50.0 255.255.255.0
nat (dmz) 1 192.168.150.0 255.255.255.0
static (dmz,ADSL) tcp interface www 192.168.150.245 www netmask 255.255.255.255
access-group ADSL_access_in in interface ADSL
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
eou clientless password XOXOXO123
http server enable
http 68.157.114.0 255.255.255.0 ADSL
http 192.168.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sla monitor 123
 type echo protocol ipIcmpEcho 4.2.2.1 interface ADSL
 num-packets 3
sla monitor schedule 123 life forever start-time now
crypto ipsec transform-set TRANS_ESP_DES_SHA esp-des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_DES_SHA mode transport
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_DES_MD5 esp-des esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_DES_MD5 mode transport
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map ADSL_dyn_map 20 set pfs
crypto dynamic-map ADSL_dyn_map 20 set transform-set TRANS_ESP_DES_SHA ESP-3DES-SHA
crypto dynamic-map ADSL_dyn_map 40 set pfs
crypto dynamic-map ADSL_dyn_map 40 set transform-set ESP-DES-MD5
crypto dynamic-map ADSL_dyn_map 60 set pfs
crypto dynamic-map ADSL_dyn_map 60 set transform-set ESP-DES-MD5
crypto dynamic-map ADSL_dyn_map 80 set pfs
crypto dynamic-map ADSL_dyn_map 80 set transform-set TRANS_ESP_DES_MD5
crypto dynamic-map ADSL_dyn_map 100 set pfs
crypto dynamic-map ADSL_dyn_map 100 set transform-set ESP-3DES-SHA
crypto dynamic-map ADSL_dyn_map 120 set pfs
crypto dynamic-map ADSL_dyn_map 120 set transform-set ESP-3DES-SHA
crypto dynamic-map ADSL_dyn_map 140 set pfs
crypto dynamic-map ADSL_dyn_map 140 set transform-set ESP-3DES-SHA
crypto dynamic-map ADSL_dyn_map 160 set pfs
crypto dynamic-map ADSL_dyn_map 160 set transform-set ESP-3DES-SHA
crypto dynamic-map inside_dyn_map 20 set pfs
crypto dynamic-map inside_dyn_map 20 set transform-set ESP-DES-SHA
crypto map ADSL_map 65535 ipsec-isakmp dynamic ADSL_dyn_map
crypto map ADSL_map interface ADSL
crypto map inside_map 65535 ipsec-isakmp dynamic inside_dyn_map
crypto map inside_map interface inside
crypto isakmp enable inside
crypto isakmp enable ADSL
crypto isakmp enable Backup
crypto isakmp policy 10
 authentication crack
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 30
 authentication crack
 encryption des
 hash md5    
 group 2
 lifetime 86400
crypto isakmp policy 50
 authentication pre-share
 encryption des
 hash md5
 group 2
 lifetime 86400
crypto isakmp policy 70
 authentication crack
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 90
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
no crypto isakmp nat-traversal
!
track 1 rtr 123 reachability
!            
track 2 rtr 321 reachability
telnet 192.168.50.0 255.255.255.0 inside
telnet 68.158.114.0 255.255.255.0 ADSL
telnet timeout 10
ssh 192.168.0.0 255.255.0.0 inside
ssh timeout 15
console timeout 0
vpdn group myisp.net request dialout pppoe
vpdn group myisp.net localname bobsmith69@myisp.net
vpdn group myisp.net ppp authentication pap
vpdn username bobsmith@myisp.net password ********* store-local
dhcpd address 192.168.50.10-192.168.50.99 inside
dhcpd dns 4.2.2.1 199.72.1.1 interface inside
dhcpd lease 86400 interface inside
dhcpd domain JOHNSTON.local interface inside
dhcpd enable inside
!
dhcpd address 192.168.150.10-192.168.150.99 dmz
dhcpd dns 4.2.2.1 199.72.1.1 interface dmz
dhcpd lease 86400 interface dmz
dhcpd ping_timeout 80 interface dmz
dhcpd domain DMZ.local interface dmz
dhcpd enable dmz
!            

threat-detection basic-threat
threat-detection statistics
ntp server 192.43.244.18
ntp server 17.254.0.31 source ADSL prefer
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
 dns-server value 4.2.2.1 199.72.1.1
 vpn-tunnel-protocol l2tp-ipsec
 default-domain value CLIENT.local
group-policy CiscoVPNClient internal
group-policy CiscoVPNClient attributes
 dns-server value 4.2.2.1 199.72.1.1
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Local_LAN_Access2
 default-domain value JOHNSTON.local
username bobsmith password cObXOXOXOOXg encrypted privilege 15
username bobsmith attributes
 vpn-group-policy CiscoVPNClient
username acuervo password hsYXOXOXOOXTK encrypted privilege 15
username sperez password i7x8AXOXOXOOXOXOXA== nt-encrypted privilege 10
tunnel-group DefaultRAGroup general-attributes
 address-pool VPN_IP_Pool
 default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
 pre-shared-key *
tunnel-group DefaultRAGroup ppp-attributes
 no authentication chap
tunnel-group CiscoVPNClient type remote-access
tunnel-group CiscoVPNClient general-attributes
 address-pool VPN_IP_Pool
 default-group-policy CiscoVPNClient
tunnel-group CiscoVPNClient ipsec-attributes
 pre-shared-key *
!
class-map icmp-class
 match default-inspection-traffic
class-map class_sip_tcp
 match port tcp eq sip
class-map icmp-classs
 match default-inspection-traffic
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map icmp_policy
 class icmp-class
  inspect icmp
policy-map global_policy
 class inspection_default
  inspect pptp
  inspect sip  
  inspect mgcp
  inspect h323 h225
  inspect h323 ras
  inspect skinny  
 class class_sip_tcp
  inspect sip  
!
service-policy global_policy global
service-policy icmp_policy interface ADSL
service-policy icmp_policy interface Backup
smtp-server 205.152.59.16 205.152.59.17
prompt hostname context
Cryptochecksum:dfa416XXXXXXXOOOOOO4fae16
: end

Thank you very much.

I used the primary question response, and achieved outside access to the DMZ....... Perfect.

Used the (1) response, and worked perfectly

Used (3) and no problems.


Thanks,

  Andy

Well all has been well, but I have found that I can no longer access the internet from the DMZ. ... If I attempt to access any site via www or ping , i am not able to get out.....The only thing I am lacking in my "Happy" config, is this ability.


As always, your responses are appreciated.


Regards,


 Andy














: Saved
:
ASA Version 8.0(3)
!
hostname CASA
domain-name CLIENT.local
enable password CXOXOXOOXOXi encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.50.1 255.255.255.0
 ospf cost 10
!
interface Vlan2
 backup interface Vlan13
 nameif ADSL
 security-level 50
 pppoe client vpdn group myisp.net
 pppoe client route track 1
 ip address pppoe setroute
 ospf cost 10
!
interface Vlan3
 nameif dmz  
 security-level 80
 ip address 192.168.150.1 255.255.255.0
 ospf cost 10
!
interface Vlan13
 nameif Backup
 security-level 50
 dhcp client route distance 5
 dhcp client route track 2
 ip address dhcp setroute
 ospf cost 10
 ospf priority 222
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
 switchport access vlan 13
!
interface Ethernet0/2
!
interface Ethernet0/3
 switchport access vlan 3
!            
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
 switchport access vlan 3
!
passwd CCetPkc1IRraFqJi encrypted
banner login Authorized Access Only - Disconnect if you are not an authorized user
boot system disk0:/asa803-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns domain-lookup ADSL
dns domain-lookup dmz
dns domain-lookup Backup
dns server-group DefaultDNS
 name-server 4.2.2.1
 name-server 199.72.1.1
 name-server 205.152.144.23
 domain-name CLIENT.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service DM_INLINE_SERVICE_1
 service-object tcp eq www
 service-object udp eq www
access-list inside_nat0_outbound extended permit ip any 192.168.75.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 192.168.50.0 255.255.255.0
access-list Local_LAN_Access remark VPN Client Local LAN Access
access-list Local_LAN_Access2 extended permit ip 192.168.50.0 255.255.255.0 192.168.75.0 255.255.255.0
access-list ADSL_access_in remark Allow HTTP
access-list ADSL_access_in extended permit tcp any interface ADSL eq www
access-list dmz_access_in extended permit tcp 192.168.150.0 255.255.255.0 host 192.168.150.240 eq www
access-list dmz_access_in extended permit icmp 192.168.150.0 255.255.255.0 host 192.168.150.240
access-list dmz_access_in extended permit tcp 192.168.150.0 255.255.255.0 host 192.168.150.190 eq www
access-list dmz_access_in extended permit tcp 192.168.150.0 255.255.255.0 host 192.168.150.190 eq 9100
access-list dmz_access_in extended permit tcp 192.168.150.0 255.255.255.0 host 192.168.150.190 eq 9101
access-list dmz_access_in extended permit tcp 192.168.150.0 255.255.255.0 host 192.168.150.190 eq 9102
access-list dmz_access_in extended permit tcp 192.168.150.0 255.255.255.0 host 192.168.150.191 eq www
access-list dmz_access_in extended permit tcp 192.168.150.0 255.255.255.0 host 192.168.150.191 eq 9100
access-list dmz_access_in extended permit tcp 192.168.150.0 255.255.255.0 host 192.168.150.191 eq 9101
access-list dmz_access_in extended permit tcp 192.168.150.0 255.255.255.0 host 192.168.150.191 eq 9102
access-list dmz_access_in extended permit tcp 192.168.150.0 255.255.255.0 host 192.168.150.192 eq www
access-list dmz_access_in extended permit tcp 192.168.150.0 255.255.255.0 host 192.168.150.192 eq 9100
access-list dmz_access_in extended permit tcp 192.168.150.0 255.255.255.0 host 192.168.150.192 eq 9101
access-list dmz_access_in extended permit tcp 192.168.150.0 255.255.255.0 host 192.168.150.192 eq 9102
access-list dmz_access_in extended permit tcp 192.168.150.0 255.255.255.0 host 192.168.150.193 eq www
access-list dmz_access_in extended permit tcp 192.168.150.0 255.255.255.0 host 192.168.150.193 eq 9100
access-list dmz_access_in extended permit tcp 192.168.150.0 255.255.255.0 host 192.168.150.193 eq 9101
access-list dmz_access_in extended permit tcp 192.168.150.0 255.255.255.0 host 192.168.150.193 eq 9102
access-list dmz_access_in extended permit tcp 192.168.150.0 255.255.255.0 host 192.168.150.194 eq www
access-list dmz_access_in extended permit tcp 192.168.150.0 255.255.255.0 host 192.168.150.194 eq 9100
access-list dmz_access_in extended permit tcp 192.168.150.0 255.255.255.0 host 192.168.150.194 eq 9101
access-list dmz_access_in extended permit tcp 192.168.150.0 255.255.255.0 host 192.168.150.194 eq 9102
access-list dmz_access_in extended permit tcp 192.168.150.0 255.255.255.0 host 192.168.150.195 eq www
access-list dmz_access_in extended permit tcp 192.168.150.0 255.255.255.0 host 192.168.150.195 eq 9100
access-list dmz_access_in extended permit tcp 192.168.150.0 255.255.255.0 host 192.168.150.195 eq 9101
access-list dmz_access_in extended permit tcp 192.168.150.0 255.255.255.0 host 192.168.150.195 eq 9102
access-list dmz_access_in extended permit tcp 192.168.150.0 255.255.255.0 host 192.168.150.200 eq www
access-list dmz_access_in extended permit tcp 192.168.150.0 255.255.255.0 host 192.168.150.200 eq 41794
access-list dmz_access_in extended permit udp 192.168.150.0 255.255.255.0 host 192.168.150.200 eq 41794
access-list dmz_access_in extended permit tcp 192.168.150.0 255.255.255.0 host 192.168.150.200 eq 41795
access-list dmz_access_in extended permit udp 192.168.150.0 255.255.255.0 host 192.168.150.200 eq 41795
access-list dmz_access_in extended permit tcp 192.168.150.0 255.255.255.0 host 192.168.150.201 eq www
access-list dmz_access_in extended permit tcp 192.168.150.0 255.255.255.0 host 192.168.150.201 eq 41794
access-list dmz_access_in extended permit udp 192.168.150.0 255.255.255.0 host 192.168.150.201 eq 41794
access-list dmz_access_in extended permit tcp 192.168.150.0 255.255.255.0 host 192.168.150.201 eq 41795
access-list dmz_access_in extended permit udp 192.168.150.0 255.255.255.0 host 192.168.150.201 eq 41795
access-list dmz_access_in extended permit tcp 192.168.150.0 255.255.255.0 host 192.168.150.202 eq www
access-list dmz_access_in extended permit tcp 192.168.150.0 255.255.255.0 host 192.168.150.202 eq 41794
access-list dmz_access_in extended permit udp 192.168.150.0 255.255.255.0 host 192.168.150.202 eq 41794
access-list dmz_access_in extended permit tcp 192.168.150.0 255.255.255.0 host 192.168.150.202 eq 41795
access-list dmz_access_in extended permit udp 192.168.150.0 255.255.255.0 host 192.168.150.202 eq 41795
pager lines 24
logging enable
logging asdm warnings
logging from-address CiscoASA@myisp.net
mtu inside 1500
mtu ADSL 1500
mtu dmz 1500
mtu Backup 1500
ip local pool VPN_IP_Pool 192.168.75.2-192.168.75.200 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any ADSL
icmp permit any dmz
icmp permit any Backup
asdm image disk0:/asdm-603.bin
asdm history enable
arp timeout 14400
nat-control
global (ADSL) 1 interface
global (Backup) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 192.168.50.0 255.255.255.0
nat (dmz) 1 192.168.150.0 255.255.255.0
static (dmz,ADSL) tcp interface www 192.168.150.245 www netmask 255.255.255.255
static (inside,dmz) 192.168.150.240 192.168.50.240 netmask 255.255.255.255
static (inside,dmz) 192.168.50.0 192.168.50.0 netmask 255.255.255.0
static (inside,dmz) 192.168.150.190 192.168.50.190 netmask 255.255.255.255
static (inside,dmz) 192.168.150.191 192.168.50.191 netmask 255.255.255.255
static (inside,dmz) 192.168.150.192 192.168.50.192 netmask 255.255.255.255
static (inside,dmz) 192.168.150.193 192.168.50.193 netmask 255.255.255.255
static (inside,dmz) 192.168.150.194 192.168.50.194 netmask 255.255.255.255
static (inside,dmz) 192.168.150.195 192.168.50.195 netmask 255.255.255.255
static (inside,dmz) 192.168.150.200 192.168.50.200 netmask 255.255.255.255
static (inside,dmz) 192.168.150.201 192.168.50.201 netmask 255.255.255.255
static (inside,dmz) 192.168.150.202 192.168.50.202 netmask 255.255.255.255
access-group dmz_access_in in interface dmz
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
eou clientless password mypass
http server enable
http 192.168.0.0 255.255.0.0 inside
http 68.157.114.0 255.255.255.0 ADSL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sla monitor 123
 type echo protocol ipIcmpEcho 4.2.2.1 interface ADSL
 num-packets 3
sla monitor schedule 123 life forever start-time now
crypto ipsec transform-set TRANS_ESP_DES_SHA esp-des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_DES_SHA mode transport
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_DES_MD5 esp-des esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_DES_MD5 mode transport
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map ADSL_dyn_map 20 set pfs
crypto dynamic-map ADSL_dyn_map 20 set transform-set TRANS_ESP_DES_SHA ESP-3DES-SHA
crypto dynamic-map ADSL_dyn_map 40 set pfs
crypto dynamic-map ADSL_dyn_map 40 set transform-set ESP-DES-MD5
crypto dynamic-map ADSL_dyn_map 60 set pfs
crypto dynamic-map ADSL_dyn_map 60 set transform-set ESP-DES-MD5
crypto dynamic-map ADSL_dyn_map 80 set pfs
crypto dynamic-map ADSL_dyn_map 80 set transform-set TRANS_ESP_DES_MD5
crypto dynamic-map ADSL_dyn_map 100 set pfs
crypto dynamic-map ADSL_dyn_map 100 set transform-set ESP-3DES-SHA
crypto dynamic-map ADSL_dyn_map 120 set pfs
crypto dynamic-map ADSL_dyn_map 120 set transform-set ESP-3DES-SHA
crypto dynamic-map ADSL_dyn_map 140 set pfs
crypto dynamic-map ADSL_dyn_map 140 set transform-set ESP-3DES-SHA
crypto dynamic-map ADSL_dyn_map 160 set pfs
crypto dynamic-map ADSL_dyn_map 160 set transform-set ESP-3DES-SHA
crypto dynamic-map inside_dyn_map 20 set pfs
crypto dynamic-map inside_dyn_map 20 set transform-set ESP-DES-SHA
crypto map ADSL_map 65535 ipsec-isakmp dynamic ADSL_dyn_map
crypto map ADSL_map interface ADSL
crypto map inside_map 65535 ipsec-isakmp dynamic inside_dyn_map
crypto map inside_map interface inside
crypto isakmp enable inside
crypto isakmp enable ADSL
crypto isakmp enable Backup
crypto isakmp policy 10
 authentication crack
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 30
 authentication crack
 encryption des
 hash md5
 group 2
 lifetime 86400
crypto isakmp policy 50
 authentication pre-share
 encryption des
 hash md5
 group 2
 lifetime 86400
crypto isakmp policy 70
 authentication crack
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 90
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
no crypto isakmp nat-traversal
!
track 1 rtr 123 reachability
!
track 2 rtr 321 reachability
telnet 192.168.50.0 255.255.255.0 inside
telnet 68.158.114.0 255.255.255.0 ADSL
telnet timeout 10
ssh 192.168.0.0 255.255.0.0 inside
ssh timeout 15
console timeout 0
vpdn group myisp.net request dialout pppoe
vpdn group myisp.net localname bobsmith@myisp.net
vpdn group myisp.net ppp authentication pap
vpdn username bobsmith@myisp.net password ********* store-local
dhcpd address 192.168.50.10-192.168.50.99 inside
dhcpd dns 4.2.2.1 199.72.1.1 interface inside
dhcpd lease 86400 interface inside
dhcpd domain JOHNSTON.local interface inside
dhcpd enable inside
!
dhcpd address 192.168.150.10-192.168.150.99 dmz
dhcpd dns 4.2.2.1 199.72.1.1 interface dmz
dhcpd lease 86400 interface dmz
dhcpd ping_timeout 80 interface dmz
dhcpd domain DMZ.local interface dmz
dhcpd enable dmz
!

threat-detection basic-threat
threat-detection statistics
ntp server 192.43.244.18
ntp server 17.254.0.31 source ADSL prefer
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
 dns-server value 4.2.2.1 199.72.1.1
 vpn-tunnel-protocol l2tp-ipsec
 default-domain value CLIENT.local
group-policy CiscoVPNClient internal
group-policy CiscoVPNClient attributes
 dns-server value 4.2.2.1 199.72.1.1
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Local_LAN_Access2
 default-domain value JOHNSTON.local
username bobsmith password cXOXOXOOXOOXg encrypted privilege 15
username bobsmith attributes
 vpn-group-policy CiscoVPNClient
username apatron password hXOXOOXOOXK encrypted privilege 15
username apatron attributes
 vpn-group-policy CiscoVPNClient
username sperez password qXOOXOXOXOXOOXO encrypted privilege 10
username sperez attributes
 vpn-group-policy CiscoVPNClient
tunnel-group DefaultRAGroup general-attributes
 address-pool VPN_IP_Pool
 default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
 pre-shared-key *
tunnel-group DefaultRAGroup ppp-attributes
 no authentication chap
tunnel-group CiscoVPNClient type remote-access
tunnel-group CiscoVPNClient general-attributes
 address-pool VPN_IP_Pool
 default-group-policy CiscoVPNClient
tunnel-group CiscoVPNClient ipsec-attributes
 pre-shared-key *
!
class-map icmp-class
 match default-inspection-traffic
class-map class_sip_tcp
 match port tcp eq sip
class-map icmp-classs
 match default-inspection-traffic
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map icmp_policy
 class icmp-class
  inspect icmp
policy-map global_policy
 class inspection_default
  inspect pptp
  inspect sip  
  inspect mgcp
  inspect h323 h225
  inspect h323 ras
  inspect skinny  
 class class_sip_tcp
  inspect sip  
!
service-policy global_policy global
service-policy icmp_policy interface ADSL
service-policy icmp_policy interface Backup
smtp-server 205.152.59.16 205.152.59.17
prompt hostname context
Cryptochecksum:a1463249d6c3baabd60164edca782e9b
: end

First, to surf the Internet you'll need access to DNS name resolution.  If your DNS server is on the inside network (192.168.50.x), then you'll need to allow TCP/UDP 53 open to that server from the DMZ.  If you use a public DNS server (like one provided by your ISP), then you won't need that explicit accesss.

So, let's assume you use an internal DNS server, say at 192.168.50.100.  Then, here are the lines to add to allow surfing using that DNS server.

---------BEGIN COMMANDS---------
access-list dmz_access_in permit tcp 192.168.150.0 255.255.255.0 host 192.168.50.100 eq 53
access-list dmz_access_in permit udp 192.168.150.0 255.255.255.0 host 192.168.50.100 eq 53
access-list dmz_access_in deny ip 192.168.150.0 255.255.255.0 192.168.50.0 255.255.255.0
access-list dmz_access_in permit ip any any
access-list ADSL_access_in extended permit icmp any any echo-reply
---------END COMMANDS--------

That last command will allow you to ping an Internet host and receive the echo replies back from the ping (echo request).
The explicit deny in those commands is because you stated that you only wanted the DMZ to access specific things on the inside but you also wanted to allow web surfing where you don't always know the destination.  Therefore, you explicitly allow the inbound DNS first for name resolution of web hosts, then you explicitly deny any other inbound traffic to the internal network and then finally you allow everything else for surfing the Internet.  It's done this way since the ACL's are parsed in the order in which they appear in the config, so the order of those commands does indeed matter!

Good luck!

Thank you....

I implemented

access-list dmz_access_in deny ip 192.168.150.0 255.255.255.0 192.168.50.0 255.255.255.0
access-list dmz_access_in permit ip any any
access-list ADSL_access_in extended permit icmp any any echo-reply

and now I can get out of the DMZ to the real world, but still have the other benefits of the internal/DMZ segregation.


Will post a final config after testing and tweaking over Thanksgiving.

Thanks again for bearing with me ......  Getting my mind into the swing of ASA statements is starting to take hold.

 Andy