Access to Internet from DMZ VLAN

I'm trying to add a guest/DMZ VLAN to an ASA5505.  I've got port 1 configured for this VLAN.  The ASA has a DHCP pool for the VLAN.  That is working fine.  When I attach a workstation directly to port 1, it gets an address, proper gateway and DNS server (8.8.8.8) but can't reach any web pages.  The box has the Security+ license installed.  Below is an abbreviated configuration with modified outside IP addresses,  What have I missed?

Tx

Bill

:
ASA Version 8.2(5)
!
hostname DTASA
names
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
 switchport access vlan 3
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.0.253 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 26.194.17.154 255.255.255.224
!
interface Vlan3
 nameif DMZ
 security-level 10
 ip address 192.168.33.1 255.255.255.0
!
ftp mode passive
dns server-group DefaultDNS
 domain-name
access-list nonat extended permit ip 192.168.0.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list nonat extended permit ip 192.168.0.0 255.255.255.0 192.168.89.0 255.255.255.0
access-list nonat extended permit ip 192.168.0.0 255.255.255.0 192.168.33.0 255.255.255.0
access-list TDRemote_splitTunnelAcl standard permit 192.168.0.0 255.255.255.0
access-list outside_access_in extended deny ip any any
access-list inside_access_in extended permit tcp host 192.168.0.3 any eq smtp
access-list inside_access_in extended deny tcp any any eq smtp
access-list inside_access_in extended permit ip any any
no pager
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu DMZ 1500
ip local pool VPN_Addresses 192.168.89.1-192.168.89.254 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
nat (DMZ) 2 192.168.33.0 255.255.255.0
.
.
.
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 26.194.17.129 1
route inside 192.168.200.0 255.255.255.0 192.168.0.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
.
.
.
dhcpd dns 8.8.8.8
!
dhcpd address 192.168.33.10-192.168.33.254 DMZ
dhcpd enable DMZ
!
 .
.
.

DTASA(config)#

LVL 1
labdunnAsked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
Joey YungConnect With a Mentor Senior Network EngineerCommented:
try to change this
no nat (DMZ) 2 192.168.33.0 255.255.255.0
nat (DMZ) 1 192.168.33.0 255.255.255.0

There should be no need an ACL as the DMZ have a higher security level than outside. However, you better to define it.
0
 
labdunnAuthor Commented:
Sorry for the delayed response but that got it.  Thank you Joey.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.