Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Access to Internet from DMZ VLAN

Posted on 2015-01-19
2
Medium Priority
?
152 Views
Last Modified: 2015-01-28
I'm trying to add a guest/DMZ VLAN to an ASA5505.  I've got port 1 configured for this VLAN.  The ASA has a DHCP pool for the VLAN.  That is working fine.  When I attach a workstation directly to port 1, it gets an address, proper gateway and DNS server (8.8.8.8) but can't reach any web pages.  The box has the Security+ license installed.  Below is an abbreviated configuration with modified outside IP addresses,  What have I missed?

Tx

Bill

:
ASA Version 8.2(5)
!
hostname DTASA
names
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
 switchport access vlan 3
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.0.253 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 26.194.17.154 255.255.255.224
!
interface Vlan3
 nameif DMZ
 security-level 10
 ip address 192.168.33.1 255.255.255.0
!
ftp mode passive
dns server-group DefaultDNS
 domain-name
access-list nonat extended permit ip 192.168.0.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list nonat extended permit ip 192.168.0.0 255.255.255.0 192.168.89.0 255.255.255.0
access-list nonat extended permit ip 192.168.0.0 255.255.255.0 192.168.33.0 255.255.255.0
access-list TDRemote_splitTunnelAcl standard permit 192.168.0.0 255.255.255.0
access-list outside_access_in extended deny ip any any
access-list inside_access_in extended permit tcp host 192.168.0.3 any eq smtp
access-list inside_access_in extended deny tcp any any eq smtp
access-list inside_access_in extended permit ip any any
no pager
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu DMZ 1500
ip local pool VPN_Addresses 192.168.89.1-192.168.89.254 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
nat (DMZ) 2 192.168.33.0 255.255.255.0
.
.
.
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 26.194.17.129 1
route inside 192.168.200.0 255.255.255.0 192.168.0.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
.
.
.
dhcpd dns 8.8.8.8
!
dhcpd address 192.168.33.10-192.168.33.254 DMZ
dhcpd enable DMZ
!
 .
.
.

DTASA(config)#

0
Comment
Question by:labdunn
2 Comments
 
LVL 5

Accepted Solution

by:
Joey Yung earned 2000 total points
ID: 40559089
try to change this
no nat (DMZ) 2 192.168.33.0 255.255.255.0
nat (DMZ) 1 192.168.33.0 255.255.255.0

There should be no need an ACL as the DMZ have a higher security level than outside. However, you better to define it.
0
 
LVL 1

Author Comment

by:labdunn
ID: 40574905
Sorry for the delayed response but that got it.  Thank you Joey.
0

Featured Post

Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this tutorial I will show you with short command examples how to obtain a packet footprint of all traffic flowing thru your Juniper device running ScreenOS. I do not know the exact firmware requirement, but I think the fprofile command is availab…
I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
Despite its rising prevalence in the business world, "the cloud" is still misunderstood. Some companies still believe common misconceptions about lack of security in cloud solutions and many misuses of cloud storage options still occur every day. …
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses

824 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question