Solved

Access to Internet from DMZ VLAN

Posted on 2015-01-19
2
147 Views
Last Modified: 2015-01-28
I'm trying to add a guest/DMZ VLAN to an ASA5505.  I've got port 1 configured for this VLAN.  The ASA has a DHCP pool for the VLAN.  That is working fine.  When I attach a workstation directly to port 1, it gets an address, proper gateway and DNS server (8.8.8.8) but can't reach any web pages.  The box has the Security+ license installed.  Below is an abbreviated configuration with modified outside IP addresses,  What have I missed?

Tx

Bill

:
ASA Version 8.2(5)
!
hostname DTASA
names
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
 switchport access vlan 3
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.0.253 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 26.194.17.154 255.255.255.224
!
interface Vlan3
 nameif DMZ
 security-level 10
 ip address 192.168.33.1 255.255.255.0
!
ftp mode passive
dns server-group DefaultDNS
 domain-name
access-list nonat extended permit ip 192.168.0.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list nonat extended permit ip 192.168.0.0 255.255.255.0 192.168.89.0 255.255.255.0
access-list nonat extended permit ip 192.168.0.0 255.255.255.0 192.168.33.0 255.255.255.0
access-list TDRemote_splitTunnelAcl standard permit 192.168.0.0 255.255.255.0
access-list outside_access_in extended deny ip any any
access-list inside_access_in extended permit tcp host 192.168.0.3 any eq smtp
access-list inside_access_in extended deny tcp any any eq smtp
access-list inside_access_in extended permit ip any any
no pager
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu DMZ 1500
ip local pool VPN_Addresses 192.168.89.1-192.168.89.254 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
nat (DMZ) 2 192.168.33.0 255.255.255.0
.
.
.
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 26.194.17.129 1
route inside 192.168.200.0 255.255.255.0 192.168.0.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
.
.
.
dhcpd dns 8.8.8.8
!
dhcpd address 192.168.33.10-192.168.33.254 DMZ
dhcpd enable DMZ
!
 .
.
.

DTASA(config)#

0
Comment
Question by:labdunn
2 Comments
 
LVL 4

Accepted Solution

by:
Joey Yung earned 500 total points
ID: 40559089
try to change this
no nat (DMZ) 2 192.168.33.0 255.255.255.0
nat (DMZ) 1 192.168.33.0 255.255.255.0

There should be no need an ACL as the DMZ have a higher security level than outside. However, you better to define it.
0
 
LVL 1

Author Comment

by:labdunn
ID: 40574905
Sorry for the delayed response but that got it.  Thank you Joey.
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Occasionally, we encounter connectivity issues that appear to be isolated to cable internet service.  The issues we typically encountered were reset errors within Internet Explorer when accessing web sites or continually dropped or failing VPN conne…
Optimal Xbox 360 connectivity requires "OPEN NAT". If you use Juniper Netscreen or SSG firewall products in a home setting, the following steps will allow you get rid of the dreaded warning screen below and achieve the best online gaming environment…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
In an interesting question (https://www.experts-exchange.com/questions/29008360/) here at Experts Exchange, a member asked how to split a single image into multiple images. The primary usage for this is to place many photographs on a flatbed scanner…

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question