cisco DMZ NAT configuration

Hi there.
I have a DMZ configured on an interface on a Cisco Firewall ASA5520 running software version 7.0.
I can get to my one server on there by rdp. I can also reach it from the internet by using the static external IP address.
My problem is i cannot get from the DMZ web server out to anywhere else (the internet or back to the internal network even after creating ACLs). I need this site to hit a Database on our internal network eventually.

The setup is
Inside network  =
Inside interface on ASA  =
DMZ interface =
DMS webserver =

Here is part of the current config ('ive removed all the security/nat acl rules and left what i hope is anything relevant tto this question)

I think my problem is I have to add NAT to the DMZ. Ive tried various methods and have had no luck yet. Can anybody tell me what i need to do or see anything I need to get rid of from the config below?

interface GigabitEthernet0/0
 nameif Outside
 security-level 0
 ip address
interface GigabitEthernet0/1
 nameif Swtich
 security-level 50
 ip address
interface GigabitEthernet0/2
 description DMZ - to be configured
 nameif DMZ
 security-level 25
 ip address

same-security-traffic permit inter-interface
object-group network DMZ_Outside

object-group network DMZ-Web-Servers
 description DMZ Web Servers
 network-object WEBSERVER-01

object-group service WEBSERVER-01_trafffic tcp
 description Allows Http, https and FTP to WEBSERVER-01 on the DMZ
 port-object eq ftp
 port-object eq www
 port-object eq https

mtu Outside 1500
mtu Swtich 1500
mtu management 1500
mtu DMZ 1500
icmp permit any Outside
icmp permit any Swtich
icmp permit any DMZ

global (Outside) 1 interface
global (DMZ) 1 interface
nat (Swtich) 1
nat (management) 0 access-list management_nat0_outbound
access-group outside_access_in in interface Outside
access-group DMZ_access_in in interface DMZ
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Daniel SheppardSenior Network Analyst - Core & PerimeterCommented:
You are two major versions behind.  I would upgrade to the latest for sure.

Your traffic in your DMZ to the LAN is going through NAT I believe.

But again, upgrade first to the latest version before anything IMO
you may well have errors on your access-list ... which you didn't post.
Basically, should you want your webserver go to Internet, you need:

access-list DMZ_access_in permit ip host any

should you want to give access from webserver to host on port 23 (as en example), you need:

access-list acl_dmz permit tcp host host eq 23

hope this helps
Jan SpringerCommented:
packet-tracer input DMZ udp 65535 53 detailed

what are the results?
Get Certified for a Job in Cybersecurity

Want an exciting career in an emerging field? Earn your MS in Cybersecurity and get certified in ethical hacking or computer forensic investigation. WGU’s MSCSIA degree program was designed to meet the most recent U.S. Department of Homeland Security (DHS) and NSA guidelines.  

jamiegfAuthor Commented:
Daniel, if i upgrade, what happens to the existing config? Does it convert it?
I'm scared of bringing down our network and our customers too. So id rather not upgrade.

Hi Max. I have the  inside interface at security level 50, dmz at 25 and outside interface at 0, so I didnt think i needed ACLs to go out to the internet. Only to come back to the higher security level. Or do i have that wrong?

have the following ACLs
access-list Outside-access-DMZ remark allow traffic into DMZ
access-list outside-access-DMZ extended permit tcp any host WEBSERVER-01 eq www
access-list DMZ_access_in remark Allow WEBSERVER-01 (on DMZ) to access Mysql (port 3306) on UNix server
access-list DMZ_access_in extended permit tcp host WEBSERVER-01 host object-group MySQL_Traffic
access-list DMZ_access_in remark test to my machine from DMZ- JGF
access-list DMZ_access_in extended permit tcp host WEBSERVER-01 host

i have also used the ASDM to grant access to any ip address on any tcp just to quickly test, and this also didn't work. So i'm thinking it must be a NAT issue.
Daniel SheppardSenior Network Analyst - Core & PerimeterCommented:
Your current config should be upgraded, but you want to do a few incremental upgrades.

Perform the packet trace as well.  It should give you some idea if it is a access list issue.
Jan SpringerCommented:
jamiegf, you should only ever *have to* upgrade for any of these three reasons:

1) you need a bug fix in a later release (or sometimes have to fall back to a previous release)

2) you are impacted by a security vulnerability

3) you are reaching end of life and need continued support
Daniel SheppardSenior Network Analyst - Core & PerimeterCommented:
The codebase is 7, it should be upgraded.

Hi Max. I have the  inside interface at security level 50, dmz at 25 and outside interface at 0, so I didnt think i needed ACLs to go out to the internet. Only to come back to the higher security level. Or do i have that wrong?

wrong: this is true only if you do not apply the access-list on an interface (e.g.: access-group DMZ_access_in  in interface DMZ). Any other case has an implicit "deny any any".

please try the access-list i provided in the last post: in particular, just to make sure it can go to Internet:
access-list DMZ_access_in permit ip host any

access-list DMZ_access_in permit tcp host WEBSERVER-01 host eq 3306

this last case is a little more complicated, because it will depend if host is already natted to a dmz or an outside IP.

jamiegfAuthor Commented:
Hi Max - the first part worked a treat. I can ping etc. great, thank you so much for that!

The next part hasnt worked. I tried another another rule to my own machine and that also didnt work. Tested it by telneting from other machines and the test work ok from the "inside" network.
Do you know what i should try next?
There are no nat rules for but there is already an acl for it:
access-list DMZ_access_in extended permit tcp host WEBSERVER-01 host
then you might already have a nat from inside to dmz. If this is the case, you may try to exempt nat from inside to dmz and then try again with the access-list i provided. Please note that you'd better test the access-list by doing a telnet to the requested port, e.g. from dmz host command-line: telnet 3306

this is the code to exempt nat from inside to dmz:
access-list nonatdmz permit ip
nat (Switch) 0 access-list nonatdmz


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
jamiegfAuthor Commented:
Absolute legend! thank you Max!
Thanks !
Should you want to upgrade firewall code, be aware that nat statements will have to be quite different.
The following is an article I wrote that I believe may be helpful:

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.