ASA 5505 (8.3.1) DMZ access to outside

kindly describe more about your problem...

DMZ can not access Internet and no errors in log

Had it working when I wanted the DMZ to go over the INSIDE interface to communicate with VPN.

NOW I have taken out all config to Inside and want the DMZ to access the Outside.

Cant seem to get it to give me any debugging info either.

6      Sep 29 2008      19:31:32      302015      8.8.8.8      53      192.168.1.110      59468      Built outbound UDP connection 2298 for outside:8.8.8.8/53 (8.8.8.8/53) to dmz:192.168.1.110/59468 (192.168.1.110/59468)
6      Sep 29 2008      19:31:30      302016      8.8.8.8      53      192.168.1.110      62740      Teardown UDP connection 2234 for outside:8.8.8.8/53 to dmz:192.168.1.110/62740 duration 0:02:08 bytes 110

I 'read' that I can only access ONE interface with a base license and was trying to move from Inside to Outside

paste the output of show version

sh ver
Cisco Adaptive Security Appliance Software Version 8.3(1)
Device Manager Version 6.3(1)

Compiled on Thu 04-Mar-10 16:56 by builders
System image file is "disk0:/asa831-k8.bin"
Config file at boot was "startup-config"

Rye5505 up 2 hours 20 mins

Hardware:   ASA5505, 512 MB RAM, CPU Geode 500 MHz
Internal ATA Compact Flash, 128MB
BIOS Flash M50FW016 @ 0xfff00000, 2048KB

Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
                             Boot microcode   : CN1000-MC-BOOT-2.00
                             SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
                             IPSec microcode  : CNlite-MC-IPSECm-MAIN-2.06
 0: Int: Internal-Data0/0    : address is 503d.e59e.953d, irq 11
 1: Ext: Ethernet0/0         : address is 503d.e59e.9535, irq 255
 2: Ext: Ethernet0/1         : address is 503d.e59e.9536, irq 255
 3: Ext: Ethernet0/2         : address is 503d.e59e.9537, irq 255
 4: Ext: Ethernet0/3         : address is 503d.e59e.9538, irq 255
 5: Ext: Ethernet0/4         : address is 503d.e59e.9539, irq 255
 6: Ext: Ethernet0/5         : address is 503d.e59e.953a, irq 255
 7: Ext: Ethernet0/6         : address is 503d.e59e.953b, irq 255
 8: Ext: Ethernet0/7         : address is 503d.e59e.953c, irq 255
 9: Int: Internal-Data0/1    : address is 0000.0003.0002, irq 255
10: Int: Not used            : irq 255
11: Int: Not used            : irq 255

Licensed features for this platform:
Maximum Physical Interfaces    : 8              perpetual
VLANs                          : 3              DMZ Restricted
Dual ISPs                      : Disabled       perpetual
VLAN Trunk Ports               : 0              perpetual
Inside Hosts                   : 10             perpetual
Failover                       : Disabled       perpetual
VPN-DES                        : Enabled        perpetual
VPN-3DES-AES                   : Enabled        perpetual
SSL VPN Peers                  : 2              perpetual
Total VPN Peers                : 10             perpetual
Shared License                 : Disabled       perpetual
AnyConnect for Mobile          : Disabled       perpetual
AnyConnect for Cisco VPN Phone : Disabled       perpetual
AnyConnect Essentials          : Disabled       perpetual
Advanced Endpoint Assessment   : Disabled       perpetual
UC Phone Proxy Sessions        : 2              perpetual
Total UC Proxy Sessions        : 2              perpetual
Botnet Traffic Filter          : Disabled       perpetual
Intercompany Media Engine      : Disabled       perpetual

This platform has a Base license.

Serial Number: JMX1510Z0NL
Running Permanent Activation Key: 0x4c0ddd53 0xdc83b436 0x7c30096c 0x828480a8 0xc92930a6
Configuration register is 0x1
Configuration last modified by enable_15 at 19:21:05.019 UTC Mon Sep 29 2008

and full config, in case you think there is something left out....

: Saved
:
ASA Version 8.3(1)
!
hostname Rye5505
domain-name thedavid
enable password  encrypted
passwd  encrypted
names
name 192.168.72.0 Sixpines description VPN
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.73.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 69.15.200.138 255.255.255.252
!
interface Vlan5
 no forward interface Vlan1
 nameif dmz
 security-level 50
 ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
 switchport access vlan 5
!
boot system disk0:/asa831-k8.bin
ftp mode passive
dns server-group DefaultDNS
 domain-name thedavid
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network 192.168.72.0
 subnet 192.168.72.0 255.255.255.0
 description Sixpines  
object network NETWORK_OBJ_192.168.73.0_24
 subnet 192.168.73.0 255.255.255.0
object network obj-192.168.73.0
 subnet 192.168.73.0 255.255.255.0
object network Sixpines
 subnet 192.168.72.0 255.255.255.0
object network DMZ
 subnet 192.168.1.0 255.255.255.0
object-group network SixpinesInternalNetwork
 network-object Sixpines 255.255.255.0
access-list DMZ_access_in extended permit ip any any inactive
access-list DMZ_access_in extended permit ip object DMZ object obj_any inactive
access-list outside_1_cryptomap extended permit ip object obj-192.168.73.0 object Sixpines
access-list dmz extended permit ip object obj_any object DMZ
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
icmp permit any dmz
asdm image disk0:/asdm-631.bin
no asdm history enable
arp timeout 14400
nat (inside,any) source static obj-192.168.73.0 obj-192.168.73.0 destination static Sixpines Sixpines
nat (inside,outside) source static obj-192.168.73.0 obj-192.168.73.0 destination static Sixpines Sixpines
nat (dmz,outside) source static DMZ DMZ
!
object network obj_any
 nat (inside,outside) dynamic interface
access-group dmz in interface dmz
route outside 0.0.0.0 0.0.0.0 69.15.200.137 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.73.0 255.255.255.0 inside
http 10.0.1.0 255.255.255.0 dmz
http Sixpines 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 dmz
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer 72.54.197.28
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 1 set reverse-route
crypto map outside_map interface outside
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
dhcpd auto_config outside
!
dhcpd address 192.168.73.101-192.168.73.132 inside
dhcpd dns 192.168.72.14 8.8.8.8 interface inside
dhcpd domain thedavidlawfirm interface inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
tunnel-group 72.54.197.28 type ipsec-l2l
tunnel-group 72.54.197.28 ipsec-attributes
 pre-shared-key
!
!
prompt hostname context
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:
: end
asdm image disk0:/asdm-631.bin
no asdm history enable

Hey<

Thanks for the reply! When I tried your suggestion, before you suggested it, I got an error in the cli that you "can not add a network". (I beleive it is because I have the 0.0.0.0 network as any, instead of specifing)

I got it working, here is what I did.

I had to add individual objects in the DMZ and then add network object NAT rule for each IP address that I wanted.

object network test
 host 192.168.1.110
 description test host
object network Server
 host 192.168.1.10
 description Server
object network Susanna
 host 192.168.1.108


object network test
 nat (any,outside) dynamic interface
object network Server
 nat (any,outside) dynamic interface
object network Susanna
 nat (any,outside) dynamic interface

I spelled out DMZ in cli  but it put it in config as 'any'........ hmmmm


Honestly, just kept at it,,, reading the errors off the cli and changing it up.

I am POSITIVE it is not the right way BUT, it is working until I can figure out the correct way.


THANKS for your reply, I will award you the points

At least he replied!!!!!

He gets my 'effort' points!!!