DMZ computers to access Internet 1

[dannyyo]

From a computer in DMZ I can't get to internet. I can get to internal network find, but not the internet.

Can you help?

Here's my setting below. x.x.x. = public IP.

: Saved
: Written by enable_15 at 18:52:10.578 UTC Wed Oct 29 2008
!
ASA Version 8.0(4)3
!
hostname ciscoasa
enable password
passwd
names
name x.x.x52 webserver_public
name 10.19.41.199 webserver_client
name 10.19.42.10 webserver_private
name 10.19.4.0 HQ
!
interface GigabitEthernet0/0
description WAN
nameif outside
security-level 0
ip address x.x.x51 255.255.255.240
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.19.41.250 255.255.255.0
!
interface GigabitEthernet0/2
description DMZ
nameif DMZ
security-level 50
ip address 10.19.42.250 255.255.255.0
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
ftp mode passive
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service DM_INLINE_TCP_1 tcp
port-object eq ftp
port-object eq www
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit icmp HQ 255.255.255.0 any time-exceeded
access-list outside_access_in extended permit tcp any host webserver_public object-group DM_INLINE_TCP_1
access-list outside_access_in extended permit ip any any inactive
access-list inside_access_in extended permit tcp 10.19.0.0 255.255.0.0 host x.x.x50 eq ftp inactive
access-list inside_access_in extended permit tcp HQ 255.255.255.0 any eq

http://www inactive

access-list inside_access_in extended permit icmp HQ 255.255.255.0 any echo inactive
access-list inside_access_in extended permit ip any any
access-list inside_nat0_outbound extended permit ip 10.19.0.0 255.255.0.0 10.19.42.0 255.255.255.0
pager lines 24
logging asdm informational
mtu management 1500
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
icmp permit any DMZ
asdm image disk0:/asdm-61351.bin
asdm location x.x.x50 255.255.255.255 inside
no asdm history enable
arp timeout 14400
nat-control
global (outside) 101 interface
global (DMZ) 101 10.19.42.1-10.19.42.20 netmask 255.255.255.0
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 101 10.19.0.0 255.255.0.0
static (DMZ,outside) webserver_public webserver_private netmask 255.255.255.255
static (DMZ,inside) webserver_public webserver_private netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 x.x.x49 1
route inside HQ 255.255.255.0 10.19.41.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:63b42c1802d4c23c6a1fc6ff5b3bcdf5
: end

 

[Supergrrover]

Add this

nat (dmz) 101 10.19.42.0 255.255.255.0



Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[dannyyo]

Beautiful! Thanks. I was leaning toward it being a NAT issue, but I couldn't quite put my finger on it. You are good! Thanks again.

 

[Supergrrover]

I've made the same mistakes and looked at a lot of configs. It gets easier. Hang in there.


Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[dannyyo]

I have another question. I basically disabled all the access-list today to test the host in the DMZ. From the host in DMZ I'm able to FTP and HTTP out to a "internet" computer x.x.x.50. This is a test environment I set up, thus the x.x.x.50 is basically a computer connected to interface g0/0 and hosts ftp and http service. If all IP permit is denied, how can ftp and http still pass trough from DMZ to outside? Everywhere else the access rule works accordingly.

 

[Supergrrover]

In the absence of an ACL applied to that interface, all traffic is allowed from a higher security level to a lower security level by default.

If you put this at the end of your ACL

access-list inside_access_in extended permit ip any any

it is essentially allowing everything that isn't explicitly denied above.


Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[dannyyo]

You are good. I was on the phone with Cisco support for couple of hours trying to figure it out. What was deceiving was that when you have an inactive rule then only the "implied deny any any rule" is applied and not the "implicit rule: permit all traffic to less secure networks". But when you don't have any other rules, both of the implicit rules are applied. Anyhow, I glad I got that sorted. Thank you for quick replies.