TOPIC: allow internet in dmz question

Hello, total newbie question here. I have an asa 5510 that I need to allow internet access to the dmz for a wireless network so guests can access internet. Any advice?

Thanks!!!

My config:

interface Ethernet0/0
nameif outside
security-level 0
ip address 65.xxx.xxx.67 255.255.255.224
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.1.1.3 255.255.255.0
!
interface Ethernet0/2
nameif dmz
security-level 10
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
domain-name acmeillinois.org
object-group service spi1 tcp
port-object eq www
port-object eq pop3
port-object eq https
port-object eq smtp
port-object eq 995
port-object eq 587
object-group service nfuse tcp
port-object eq www
port-object eq https
object-group service citrix tcp
port-object eq citrix-ica
object-group service chi1 tcp
port-object eq 587
port-object eq pop3
object-group service dmz1 tcp
description dmz ports
port-object eq 47807
port-object eq 4899
port-object eq ftp
port-object eq www
port-object eq domain
object-group service dmz2 udp
port-object eq 47806
port-object eq 47808
access-list outside_access_in extended permit tcp any host 65.xxx.xxx.75 object-group nfuse
access-list outside_access_in extended permit tcp any host 65.xxx.xxx.71 object-group citrix
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit icmp any any time-exceeded
access-list outside_access_in extended permit ip 209.248.59.0 255.255.255.0 host 65.xxx.xxx.71
access-list outside_access_in extended permit ip 65.171.235.0 255.255.255.0 host 65.xxx.xxx.71
access-list outside_access_in extended permit ip 209.248.59.0 255.255.255.0 host 65.119.0.1
access-list outside_access_in extended permit ip 65.171.235.0 255.255.255.0 host 65.119.0.1
access-list outside_access_in extended permit tcp any host 65.xxx.xxx.67 object-group spi1
access-list outside_access_in extended permit tcp any host 65.xxx.xxx.68 object-group chi1
access-list outside_access_in extended permit tcp any host 65.xxx.xxx.69 object-group dmz1
access-list dmz_access_in extended permit icmp any any
access-list dmz_access_in extended permit tcp 192.168.1.0 255.255.255.0 65.xxx.xxx.64 255.255.255.224 eq www
access-list dmz_access_in extended permit udp 192.168.1.0 255.255.255.0 any
access-list inside_access_in extended permit icmp any any
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit ip any 192.168.1.0 255.255.255.0
access-list inside_access_in extended permit udp 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list vpn_in extended permit ip 10.1.0.0 255.255.0.0 192.168.1.0 255.255.255.0

ip local pool acmepool 192.168.10.1-192.168.10.200
no failover
monitor-interface outside
monitor-interface inside
monitor-interface dmz
icmp unreachable rate-limit 1 burst-size 1

arp timeout 14400
global (outside) 1 interface
global (dmz) 1 interface
nat (inside) 0 access-list vpn_in
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface www 10.1.1.10 www netmask 255.255.255.255
static (inside,outside) tcp interface https 10.1.1.10 https netmask 255.255.255.255
static (inside,outside) tcp interface pop3 10.1.1.10 pop3 netmask 255.255.255.255
static (inside,outside) tcp interface smtp 10.1.1.6 smtp netmask 255.255.255.255
static (inside,outside) tcp interface 587 10.1.1.10 587 netmask 255.255.255.255
static (inside,outside) 65.xxx.xxx.71 10.1.1.5 netmask 255.255.255.255
static (inside,outside) 65.xxx.xxx.75 10.1.1.27 netmask 255.255.255.255
static (inside,dmz) 10.1.1.149 10.1.1.149 netmask 255.255.255.255
static (inside,outside) 65.xxx.xxx.68 10.1.2.6 netmask 255.255.255.255
static (dmz,outside) 65.xxx.xxx.69 192.168.1.10 netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group dmz_access_in in interface dmz
route outside 0.0.0.0 0.0.0.0 65.xxx.xxx.65 1
route inside 10.1.0.0 255.255.0.0 10.1.1.1 1

http server enable
http 10.1.1.0 255.255.255.0 inside
telnet 10.1.0.0 255.255.0.0 inside
telnet 192.168.0.0 255.255.0.0 inside

So you have a Wireless network connected to the DMZ and you want to allow access from the DMZ to the Internet?

Your config seems ok you have a Global and a NAT command to allow Internet access, is the wireless network on the 192.168.1.x network?

and connected to the DMZ?

i may have miss-understood the question..

So you have a Wireless network connected to the DMZ and you want to allow access from the DMZ to the Internet?

sidewinds, if what ikon said is what you want to do then, try fixing or even removing the dmz_access_in ACL in the following lines:

[code:1]access-list dmz_access_in extended permit icmp any any
access-list dmz_access_in extended permit tcp 192.168.1.0 255.255.255.0 65.xxx.xxx.64 255.255.255.224 eq www
access-list dmz_access_in extended permit udp 192.168.1.0 255.255.255.0 any [/code:1]

The implicit deny prevents any TCP connection destined to internet addresses from going in the dmz interface. Try temporarily removing the line:

[code:1]access-group dmz_access_in in interface dmz [/code:1]

I just had a quick look. There might be other issues too.

access-list dmz_access_in extended permit icmp any any

I am not sure what is this line for but this doesn't work
access-list dmz_access_in extended permit tcp 192.168.1.0 255.255.255.0 65.xxx.xxx.64 255.255.255.224 eq www

Here you have permited all UDP traffic, but you are missing TCP traffic.
access-list dmz_access_in extended permit udp 192.168.1.0 255.255.255.0 any

I suggest to do the following

access-list dmz_access_in permit tcp 192.168.1.0 255.255.255.0 gt 1023 host 10.1.1.149 eq 234

in other words allow only traffic to certain hosts, add x n lines for each required traffic. As there is no traslation between these two zones.

Next in acl you should deny access to your internal private range
access-list dmz_access_in deny ip 192.168.1.0 255.255.255.0 10.1.0.0 255.255.0.0

After this you should allow next
access-list dmz_access_in permit tcp 192.168.1.0 255.255.255.0 gt1023 any
(or narrow it down to tcp ports 20, 21,53, 80, 443 - make object group)
access-list dmz_access_in permit udp 192.168.1.0 255.255.255.0 gt1023 any
(same here)

end acl with
deny any any log

After you apply run next
debug packet dmz src 192.168.1.x dst 95.256.125.1
debug packet outside src any dst 95.256.125.1

You should see traffic comming to asa and going out to outside world.

Address 192.168.1.x must not pass through ASA, as this traffic is must not pass.

Please give sh ver results too.

Regards,
Obelisk

While I don't know enough about your architecture to be sure (are you running public services there?), the words wireless connected to DMZ made me shudder a bit.

Are you using DMZ just for the Wi-Fi in other words is it just another leg off your router/firewall? I'm asking because I'm thinking of DMZ in the classical sense, as in the segment that provides public services.

If that's the case, then think long and hard about whether you want to put that AP in the DMZ.

Cheers,