Need help with Cisco ASA DMZ configuration

I have added a DMZ zone to my Cisco ASA (configuration is below).  I needed this to just be used for a "guest" network, so that people coming into the office can access the Internet without getting on my production LAN.  Everything is working, EXCEPT, I cannot get a workstation to ping the internet, nor can I get the Internet to ping a workstation.  Which means I am getting zero traffic out over the Internet from my configured DMZ.  I have done this several times before, but I have looked at this configuration so long I have to be missing just something very small in my config.

Again, all I want to do is this: configure a DMZ through my ASA, allow it to service that DMZ with DHCP, and have any workstation that attaches to the DMZ be able to get to the Internet.  

Can someone look at my configuration below, and tell me what I am missing?  I am just not seeing it, and need another expert pair of eyes.

Thank you very much in advance.

(version information first)
Cisco Adaptive Security Appliance Software Version 8.2(1)

Compiled on Tue 05-May-09 22:45 by builders
System image file is "disk0:/asa821-k8.bin"
Config file at boot was "startup-config"

G1-PERF-ASA up 15 days 1 hour

Hardware:   ASA5510, 1024 MB RAM, CPU Pentium 4 Celeron 1600 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash Firmware Hub @ 0xffe00000, 1024KB

Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
                             Boot microcode   : CN1000-MC-BOOT-2.00
                             SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
                             IPSec microcode  : CNlite-MC-IPSECm-MAIN-2.04
 0: Ext: Ethernet0/0         : address is 503d.e51e.afb0, irq 9
 1: Ext: Ethernet0/1         : address is 503d.e51e.afb1, irq 9
 2: Ext: Ethernet0/2         : address is 503d.e51e.afb2, irq 9
 3: Ext: Ethernet0/3         : address is 503d.e51e.afb3, irq 9
 4: Ext: Management0/0       : address is 503d.e51e.afb4, irq 11
 5: Int: Not used            : irq 11
 6: Int: Not used            : irq 5

Licensed features for this platform:
Maximum Physical Interfaces  : Unlimited
Maximum VLANs                : 50        
Inside Hosts                 : Unlimited
Failover                     : Disabled
VPN-DES                      : Enabled  
VPN-3DES-AES                 : Enabled  
Security Contexts            : 0        
GTP/GPRS                     : Disabled  
SSL VPN Peers                : 2        
Total VPN Peers              : 250      
Shared License               : Disabled
AnyConnect for Mobile        : Disabled  
AnyConnect for Linksys phone : Disabled  
AnyConnect Essentials        : Disabled  
Advanced Endpoint Assessment : Disabled  
UC Phone Proxy Sessions      : 2        
Total UC Proxy Sessions      : 2        
Botnet Traffic Filter        : Disabled  

This platform has a Base license.

Serial Number: JMX1511L102
Running Activation Key: 0x5007e16f 0x9447f4c1 0xd42051f4 0xa9386460 0xc7162486
Configuration register is 0x1
Configuration last modified by enable_15 at 11:03:09.800 UTC Wed Jan 4 2012
G1-PERF-ASA#

(start of configuration)
: Saved
:
ASA Version 8.2(1)
!
hostname G1-PERF-ASA
domain-name southeast.epi.com
names
!
interface Ethernet0/0
 description Applachian epi's Inside LAN
 nameif inside
 security-level 100
 ip address 172.23.1.2 255.255.0.0
!
interface Ethernet0/1
 description Applachian Internet thru ISP
 nameif outside
 security-level 0
 ip address 99.58.132.66 255.255.255.240
!
interface Ethernet0/2
 nameif dmz
 security-level 10
 ip address 192.168.23.254 255.255.255.0
!
interface Ethernet0/3
 shutdown
 no nameif
 security-level 0
 no ip address
!
interface Management0/0
 description Applachian ASA-5510 Management Interface
 nameif management
 security-level 0
 ip address 192.168.1.1 255.255.255.0
!
ftp mode passive
dns server-group DefaultDNS
 domain-name southeast.epi.com
same-security-traffic permit inter-interface
access-list VPN extended permit ip 172.23.0.0 255.255.0.0 192.168.200.0 255.255.255.0
access-list VPN extended permit ip 172.23.0.0 255.255.0.0 172.22.0.0 255.255.0.0
access-list VPN extended permit ip 172.23.0.0 255.255.0.0 192.168.151.0 255.255.255.0
access-list VPN extended permit ip 172.23.0.0 255.255.0.0 172.20.0.0 255.255.0.0
access-list VPN extended permit ip 172.23.0.0 255.255.0.0 172.21.0.0 255.255.0.0
access-list EPI-MD extended permit ip 172.23.0.0 255.255.0.0 172.22.0.0 255.255.0.0
access-list JDG extended permit ip 172.23.0.0 255.255.0.0 192.168.200.0 255.255.255.0
access-list OUTSIDE extended permit icmp any any
access-list OUTSIDE extended permit ip host 99.58.132.69 any
access-list SPLIT-TUNNEL standard permit 172.23.0.0 255.255.0.0
access-list EPI-KY extended permit ip 172.23.0.0 255.255.0.0 172.20.0.0 255.255.0.0
access-list EPI-GA-MGMT extended permit ip 172.23.0.0 255.255.0.0 172.21.0.0 255.255.0.0
access-list DMZ extended permit icmp any any
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu management 1500
mtu dmz 1500
ip local pool gapool 192.168.151.1-192.168.151.254
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/pdm
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (dmz) 1 192.168.23.50
nat (inside) 0 access-list VPN
nat (inside) 1 0.0.0.0 0.0.0.0
static (dmz,outside) 99.58.132.69 192.168.23.100 netmask 255.255.255.255
access-group OUTSIDE in interface outside
access-group DMZ in interface dmz
route outside 0.0.0.0 0.0.0.0 99.58.132.65 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server RADIUS protocol radius
aaa-server RADIUS (inside) host 172.23.3.5
http server enable
snmp-server host outside 209.194.98.4 community public
snmp-server location EPI-GA
snmp-server contact Network Administrator
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
crypto ipsec transform-set episet2 esp-3des esp-md5-hmac
crypto ipsec transform-set episet esp-des esp-md5-hmac
crypto ipsec transform-set episet3 esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 3600
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map etigavpn 10 set pfs group1
crypto dynamic-map etigavpn 10 set transform-set episet3
crypto map etimap 10 match address EPI-KY
crypto map etimap 10 set peer 54.76.102.35
crypto map etimap 10 set transform-set episet3
crypto map etimap 20 match address EPI-MD
crypto map etimap 20 set peer 62.97.61.106
crypto map etimap 20 set transform-set episet2
crypto map etimap 30 match address JDG
crypto map etimap 30 set peer 33.76.172.124
crypto map etimap 30 set transform-set episet2
crypto map etimap 40 match address EPI-GA-MGMT
crypto map etimap 40 set peer 38.66.212.42
crypto map etimap 40 set transform-set episet3
crypto map etimap 65000 ipsec-isakmp dynamic etigavpn
crypto map etimap interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 20
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 3600
crypto isakmp policy 30
 authentication pre-share
 encryption des
 hash md5
 group 1
 lifetime 3600
crypto isakmp policy 50
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet 172.23.0.0 255.255.0.0 inside
telnet timeout 20
ssh 172.23.0.0 255.255.0.0 inside
ssh 33.76.172.124 255.255.255.255 outside
ssh 209.194.98.3 255.255.255.255 outside
ssh timeout 15
console timeout 0
dhcpd lease 84000
!
dhcpd address 192.168.23.100-192.168.23.199 dmz
dhcpd dns 192.168.23.252 interface dmz
dhcpd domain etiextdmz.lan interface dmz
dhcpd enable dmz
!
priority-queue outside
  tx-ring-limit 256
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy EPIVPNG1 internal
group-policy EPIVPNG1 attributes
 wins-server value 172.23.3.4
 dns-server value 172.23.3.4
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value SPLIT-TUNNEL
 default-domain value southeast.epi.lan
username epiga password (removed) encrypted
username epiga attributes
 vpn-group-policy EPIVPNG1
username epiga2 password (removed) encrypted
username epiga2 attributes
 vpn-group-policy EPIVPNG1
tunnel-group 62.97.61.106 type ipsec-l2l
tunnel-group 62.97.61.106 ipsec-attributes
 pre-shared-key *
tunnel-group 33.76.172.124 type ipsec-l2l
tunnel-group 33.76.172.124 ipsec-attributes
 pre-shared-key *
tunnel-group 54.76.102.35 type ipsec-l2l
tunnel-group 54.76.102.35 ipsec-attributes
 pre-shared-key *
tunnel-group EPI-VPNGA type remote-access
tunnel-group EPI-VPNGA general-attributes
 address-pool gapool
 default-group-policy EPIVPNG1
tunnel-group EPI-VPNGA ipsec-attributes
 pre-shared-key *
tunnel-group 38.66.212.42type ipsec-l2l
tunnel-group 38.66.212.42ipsec-attributes
 pre-shared-key *
!
class-map class_sunrpc_tcp
 match port tcp eq sunrpc
class-map Voice
 match dscp ef
class-map inspection_default
 match default-inspection-traffic
class-map Data
 match flow ip destination-address
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
  inspect pptp
  inspect http
  inspect ils
 class class_sunrpc_tcp
  inspect sunrpc
policy-map Voicepolicy
 class Voice
  priority
 class Data
  police output 200000 37500
!
service-policy global_policy global
service-policy Voicepolicy interface outside
prompt hostname context
Cryptochecksum:fb79b12f7cdfe89fe5673feca003de5c
: end
G1-PERF-ASA#
jgrammer42Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Jan SpringerCommented:
nat (dmz) 1 192.168.23.0 255.255.255.0
0
TheTullCommented:
It looks like a NAT mis-configuration to me.  

Try getting rid of this line: global (dmz) 1 192.168.23.50

And put in this line: nat (dmz) 1 192.168.23.0 255.255.255.0

Now if you want inside traffic to NAT to 192.168.23.50 then try this: global (dmz) 2 192.168.23.50

And then add this: nat (inside) 2 0.0.0.0 0.0.0.0

0
jgrammer42Author Commented:
Well, that gets me closer from both of your suggestions, but not quite right still.

I removed the "global (dmz) 1 192.168.23.50" command and only added just the command of:

nat (dmz) 1 192.168.23.0 255.255.255.0

It will not let a workstation on the DMZ ping out and resolve any IP addresses on the Internet, but I am still not able to browse with web.

any suggestions?

Thank you both for your help,
Jeff
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

Jan SpringerCommented:
Configure:

access-list DMZ permit ip any any

and reapply it.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
jgrammer42Author Commented:
Sorry, I had a type in my response....using the "nat (dmz) 192.168.30.0 255.255.255.0" command it WILL let me resolve and ping an Internet IP address.  But I cannot browse the web or VPN still from that DMZ.

My apologies for the typo.

Jeff
0
jgrammer42Author Commented:
jesper,

I was being stupid....thank you VERY, VERY much.  I am good to go now it appears.

0
jgrammer42Author Commented:
jesper's two command lines 100% corrected my issue.

Thank you very much.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.