Solved

Access to Internet from DMZ VLAN

Posted on 2015-01-19
2
149 Views
Last Modified: 2015-01-28
I'm trying to add a guest/DMZ VLAN to an ASA5505.  I've got port 1 configured for this VLAN.  The ASA has a DHCP pool for the VLAN.  That is working fine.  When I attach a workstation directly to port 1, it gets an address, proper gateway and DNS server (8.8.8.8) but can't reach any web pages.  The box has the Security+ license installed.  Below is an abbreviated configuration with modified outside IP addresses,  What have I missed?

Tx

Bill

:
ASA Version 8.2(5)
!
hostname DTASA
names
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
 switchport access vlan 3
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.0.253 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 26.194.17.154 255.255.255.224
!
interface Vlan3
 nameif DMZ
 security-level 10
 ip address 192.168.33.1 255.255.255.0
!
ftp mode passive
dns server-group DefaultDNS
 domain-name
access-list nonat extended permit ip 192.168.0.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list nonat extended permit ip 192.168.0.0 255.255.255.0 192.168.89.0 255.255.255.0
access-list nonat extended permit ip 192.168.0.0 255.255.255.0 192.168.33.0 255.255.255.0
access-list TDRemote_splitTunnelAcl standard permit 192.168.0.0 255.255.255.0
access-list outside_access_in extended deny ip any any
access-list inside_access_in extended permit tcp host 192.168.0.3 any eq smtp
access-list inside_access_in extended deny tcp any any eq smtp
access-list inside_access_in extended permit ip any any
no pager
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu DMZ 1500
ip local pool VPN_Addresses 192.168.89.1-192.168.89.254 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
nat (DMZ) 2 192.168.33.0 255.255.255.0
.
.
.
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 26.194.17.129 1
route inside 192.168.200.0 255.255.255.0 192.168.0.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
.
.
.
dhcpd dns 8.8.8.8
!
dhcpd address 192.168.33.10-192.168.33.254 DMZ
dhcpd enable DMZ
!
 .
.
.

DTASA(config)#

0
Comment
Question by:labdunn
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 5

Accepted Solution

by:
Joey Yung earned 500 total points
ID: 40559089
try to change this
no nat (DMZ) 2 192.168.33.0 255.255.255.0
nat (DMZ) 1 192.168.33.0 255.255.255.0

There should be no need an ACL as the DMZ have a higher security level than outside. However, you better to define it.
0
 
LVL 1

Author Comment

by:labdunn
ID: 40574905
Sorry for the delayed response but that got it.  Thank you Joey.
0

Featured Post

Is your NGFW recommended by NSS Labs?

Ours is! NSS Labs Next Generation Firewall Test gives the WatchGuard Firebox M4600 a "Recommended" rating! Curious where your NGFW landed on the  Security Value Map? See the map and download the full report today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
A 2007 NCSA Cyber Security survey revealed that a mere 4% of the population has a full understanding of firewalls. As business owner, you should be part of that 4% that has a full understanding.
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…
This tutorial will teach you the special effect of super speed similar to the fictional character Wally West aka "The Flash" After Shake : http://www.videocopilot.net/presets/after_shake/ All lightning effects with instructions : http://www.mediaf…

696 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question