ASA 5505 (8.3.1) DMZ access to outside

charlietaylor
charlietaylor used Ask the Experts™
on
I have a 5505 that has a BASE license and had it communicating with VPN (INSIDE) interface and now need Internet access only. I had no issue getting the DMZ communicating with far side VPN but now can not get to talk to OUTSIDE. I am not getting any errors in the log (shows to be building up and tearing down correctly)

I can put the "access-group dmz in interface dmz" command line in and get errors in log that show "DENY by access-group dmz"

any expert suggestions? (see condensed config below)


!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.73.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 69.15.200.138 255.255.255.252
!
interface Vlan5
 no forward interface Vlan1
 nameif dmz
 security-level 50
 ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/7
 switchport access vlan 5
!
boot system disk0:/asa831-k8.bin
!
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network 192.168.72.0
 subnet 192.168.72.0 255.255.255.0
 description Sixpines  
object network NETWORK_OBJ_192.168.73.0_24
 subnet 192.168.73.0 255.255.255.0
object network obj-192.168.73.0
 subnet 192.168.73.0 255.255.255.0
object network Sixpines
 subnet 192.168.72.0 255.255.255.0
object network DMZ
 subnet 192.168.1.0 255.255.255.0
object-group network SixpinesInternalNetwork
 network-object Sixpines 255.255.255.0
access-list DMZ_access_in extended permit ip any any inactive
access-list DMZ_access_in extended permit ip object DMZ object obj_any inactive
access-list outside_1_cryptomap extended permit ip object obj-192.168.73.0 object Sixpines
access-list dmz extended permit ip object obj_any object DMZ
!
asdm image disk0:/asdm-631.bin
no asdm history enable
arp timeout 14400
nat (inside,any) source static obj-192.168.73.0 obj-192.168.73.0 destination static Sixpines Sixpines
nat (inside,outside) source static obj-192.168.73.0 obj-192.168.73.0 destination static Sixpines Sixpines
nat (dmz,outside) source static DMZ DMZ
!
object network obj_any
 nat (inside,outside) dynamic interface
access-group dmz in interface dmz
route outside 0.0.0.0 0.0.0.0 69.15.200.137 1


Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Top Expert 2010

Commented:
kindly describe more about your problem...

Author

Commented:
DMZ can not access Internet and no errors in log

Author

Commented:
Had it working when I wanted the DMZ to go over the INSIDE interface to communicate with VPN.

NOW I have taken out all config to Inside and want the DMZ to access the Outside.

Cant seem to get it to give me any debugging info either.

6      Sep 29 2008      19:31:32      302015      8.8.8.8      53      192.168.1.110      59468      Built outbound UDP connection 2298 for outside:8.8.8.8/53 (8.8.8.8/53) to dmz:192.168.1.110/59468 (192.168.1.110/59468)
6      Sep 29 2008      19:31:30      302016      8.8.8.8      53      192.168.1.110      62740      Teardown UDP connection 2234 for outside:8.8.8.8/53 to dmz:192.168.1.110/62740 duration 0:02:08 bytes 110
Success in ‘20 With a Profitable Pricing Strategy

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Author

Commented:
I 'read' that I can only access ONE interface with a base license and was trying to move from Inside to Outside
Top Expert 2010

Commented:
paste the output of show version

Author

Commented:
sh ver
Cisco Adaptive Security Appliance Software Version 8.3(1)
Device Manager Version 6.3(1)

Compiled on Thu 04-Mar-10 16:56 by builders
System image file is "disk0:/asa831-k8.bin"
Config file at boot was "startup-config"

Rye5505 up 2 hours 20 mins

Hardware:   ASA5505, 512 MB RAM, CPU Geode 500 MHz
Internal ATA Compact Flash, 128MB
BIOS Flash M50FW016 @ 0xfff00000, 2048KB

Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
                             Boot microcode   : CN1000-MC-BOOT-2.00
                             SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
                             IPSec microcode  : CNlite-MC-IPSECm-MAIN-2.06
 0: Int: Internal-Data0/0    : address is 503d.e59e.953d, irq 11
 1: Ext: Ethernet0/0         : address is 503d.e59e.9535, irq 255
 2: Ext: Ethernet0/1         : address is 503d.e59e.9536, irq 255
 3: Ext: Ethernet0/2         : address is 503d.e59e.9537, irq 255
 4: Ext: Ethernet0/3         : address is 503d.e59e.9538, irq 255
 5: Ext: Ethernet0/4         : address is 503d.e59e.9539, irq 255
 6: Ext: Ethernet0/5         : address is 503d.e59e.953a, irq 255
 7: Ext: Ethernet0/6         : address is 503d.e59e.953b, irq 255
 8: Ext: Ethernet0/7         : address is 503d.e59e.953c, irq 255
 9: Int: Internal-Data0/1    : address is 0000.0003.0002, irq 255
10: Int: Not used            : irq 255
11: Int: Not used            : irq 255

Licensed features for this platform:
Maximum Physical Interfaces    : 8              perpetual
VLANs                          : 3              DMZ Restricted
Dual ISPs                      : Disabled       perpetual
VLAN Trunk Ports               : 0              perpetual
Inside Hosts                   : 10             perpetual
Failover                       : Disabled       perpetual
VPN-DES                        : Enabled        perpetual
VPN-3DES-AES                   : Enabled        perpetual
SSL VPN Peers                  : 2              perpetual
Total VPN Peers                : 10             perpetual
Shared License                 : Disabled       perpetual
AnyConnect for Mobile          : Disabled       perpetual
AnyConnect for Cisco VPN Phone : Disabled       perpetual
AnyConnect Essentials          : Disabled       perpetual
Advanced Endpoint Assessment   : Disabled       perpetual
UC Phone Proxy Sessions        : 2              perpetual
Total UC Proxy Sessions        : 2              perpetual
Botnet Traffic Filter          : Disabled       perpetual
Intercompany Media Engine      : Disabled       perpetual

This platform has a Base license.

Serial Number: JMX1510Z0NL
Running Permanent Activation Key: 0x4c0ddd53 0xdc83b436 0x7c30096c 0x828480a8 0xc92930a6
Configuration register is 0x1
Configuration last modified by enable_15 at 19:21:05.019 UTC Mon Sep 29 2008

Author

Commented:
and full config, in case you think there is something left out....

: Saved
:
ASA Version 8.3(1)
!
hostname Rye5505
domain-name thedavid
enable password  encrypted
passwd  encrypted
names
name 192.168.72.0 Sixpines description VPN
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.73.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 69.15.200.138 255.255.255.252
!
interface Vlan5
 no forward interface Vlan1
 nameif dmz
 security-level 50
 ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
 switchport access vlan 5
!
boot system disk0:/asa831-k8.bin
ftp mode passive
dns server-group DefaultDNS
 domain-name thedavid
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network 192.168.72.0
 subnet 192.168.72.0 255.255.255.0
 description Sixpines  
object network NETWORK_OBJ_192.168.73.0_24
 subnet 192.168.73.0 255.255.255.0
object network obj-192.168.73.0
 subnet 192.168.73.0 255.255.255.0
object network Sixpines
 subnet 192.168.72.0 255.255.255.0
object network DMZ
 subnet 192.168.1.0 255.255.255.0
object-group network SixpinesInternalNetwork
 network-object Sixpines 255.255.255.0
access-list DMZ_access_in extended permit ip any any inactive
access-list DMZ_access_in extended permit ip object DMZ object obj_any inactive
access-list outside_1_cryptomap extended permit ip object obj-192.168.73.0 object Sixpines
access-list dmz extended permit ip object obj_any object DMZ
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
icmp permit any dmz
asdm image disk0:/asdm-631.bin
no asdm history enable
arp timeout 14400
nat (inside,any) source static obj-192.168.73.0 obj-192.168.73.0 destination static Sixpines Sixpines
nat (inside,outside) source static obj-192.168.73.0 obj-192.168.73.0 destination static Sixpines Sixpines
nat (dmz,outside) source static DMZ DMZ
!
object network obj_any
 nat (inside,outside) dynamic interface
access-group dmz in interface dmz
route outside 0.0.0.0 0.0.0.0 69.15.200.137 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.73.0 255.255.255.0 inside
http 10.0.1.0 255.255.255.0 dmz
http Sixpines 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 dmz
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer 72.54.197.28
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 1 set reverse-route
crypto map outside_map interface outside
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
dhcpd auto_config outside
!
dhcpd address 192.168.73.101-192.168.73.132 inside
dhcpd dns 192.168.72.14 8.8.8.8 interface inside
dhcpd domain thedavidlawfirm interface inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
tunnel-group 72.54.197.28 type ipsec-l2l
tunnel-group 72.54.197.28 ipsec-attributes
 pre-shared-key
!
!
prompt hostname context
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:
: end
asdm image disk0:/asdm-631.bin
no asdm history enable

try this,

no nat (dmz,outside) source static DMZ DMZ
object network DMZ
 nat(DMZ,outside) dynamic interface

Author

Commented:
Hey<

Thanks for the reply! When I tried your suggestion, before you suggested it, I got an error in the cli that you "can not add a network". (I beleive it is because I have the 0.0.0.0 network as any, instead of specifing)

I got it working, here is what I did.

I had to add individual objects in the DMZ and then add network object NAT rule for each IP address that I wanted.

object network test
 host 192.168.1.110
 description test host
object network Server
 host 192.168.1.10
 description Server
object network Susanna
 host 192.168.1.108


object network test
 nat (any,outside) dynamic interface
object network Server
 nat (any,outside) dynamic interface
object network Susanna
 nat (any,outside) dynamic interface

I spelled out DMZ in cli  but it put it in config as 'any'........ hmmmm


Honestly, just kept at it,,, reading the errors off the cli and changing it up.

I am POSITIVE it is not the right way BUT, it is working until I can figure out the correct way.


THANKS for your reply, I will award you the points

Author

Commented:
At least he replied!!!!!

He gets my 'effort' points!!!

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial