Solved

Access to Internet from DMZ VLAN

Posted on 2015-01-19
2
145 Views
Last Modified: 2015-01-28
I'm trying to add a guest/DMZ VLAN to an ASA5505.  I've got port 1 configured for this VLAN.  The ASA has a DHCP pool for the VLAN.  That is working fine.  When I attach a workstation directly to port 1, it gets an address, proper gateway and DNS server (8.8.8.8) but can't reach any web pages.  The box has the Security+ license installed.  Below is an abbreviated configuration with modified outside IP addresses,  What have I missed?

Tx

Bill

:
ASA Version 8.2(5)
!
hostname DTASA
names
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
 switchport access vlan 3
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.0.253 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 26.194.17.154 255.255.255.224
!
interface Vlan3
 nameif DMZ
 security-level 10
 ip address 192.168.33.1 255.255.255.0
!
ftp mode passive
dns server-group DefaultDNS
 domain-name
access-list nonat extended permit ip 192.168.0.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list nonat extended permit ip 192.168.0.0 255.255.255.0 192.168.89.0 255.255.255.0
access-list nonat extended permit ip 192.168.0.0 255.255.255.0 192.168.33.0 255.255.255.0
access-list TDRemote_splitTunnelAcl standard permit 192.168.0.0 255.255.255.0
access-list outside_access_in extended deny ip any any
access-list inside_access_in extended permit tcp host 192.168.0.3 any eq smtp
access-list inside_access_in extended deny tcp any any eq smtp
access-list inside_access_in extended permit ip any any
no pager
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu DMZ 1500
ip local pool VPN_Addresses 192.168.89.1-192.168.89.254 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
nat (DMZ) 2 192.168.33.0 255.255.255.0
.
.
.
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 26.194.17.129 1
route inside 192.168.200.0 255.255.255.0 192.168.0.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
.
.
.
dhcpd dns 8.8.8.8
!
dhcpd address 192.168.33.10-192.168.33.254 DMZ
dhcpd enable DMZ
!
 .
.
.

DTASA(config)#

0
Comment
Question by:labdunn
2 Comments
 
LVL 4

Accepted Solution

by:
Joey Yung earned 500 total points
ID: 40559089
try to change this
no nat (DMZ) 2 192.168.33.0 255.255.255.0
nat (DMZ) 1 192.168.33.0 255.255.255.0

There should be no need an ACL as the DMZ have a higher security level than outside. However, you better to define it.
0
 
LVL 1

Author Comment

by:labdunn
ID: 40574905
Sorry for the delayed response but that got it.  Thank you Joey.
0

Featured Post

Live: Real-Time Solutions, Start Here

Receive instant 1:1 support from technology experts, using our real-time conversation and whiteboard interface. Your first 5 minutes are always free.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
VPN running on Windows 2008 Server 11 82
TCP Connection Established 14 87
Cisco ASA NAT rules for different port forwarding 3 65
Botnet detection help me please 21 112
In this tutorial I will show you with short command examples how to obtain a packet footprint of all traffic flowing thru your Juniper device running ScreenOS. I do not know the exact firmware requirement, but I think the fprofile command is availab…
I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
In a recent question (https://www.experts-exchange.com/questions/28997919/Pagination-in-Adobe-Acrobat.html) here at Experts Exchange, a member asked how to add page numbers to a PDF file using Adobe Acrobat XI Pro. This short video Micro Tutorial sh…
Finds all prime numbers in a range requested and places them in a public primes() array. I've demostrated a template size of 30 (2 * 3 * 5) but larger templates can be built such 210  (2 * 3 * 5 * 7) or 2310  (2 * 3 * 5 * 7 * 11). The larger templa…

786 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question