Assuming you have the configuration you have posted above, you will need to allow DNS protocol on the dmz_int access list as below:

access-list dmz_int extended permit udp host 172.16.16.80 any eq 53

Also, to access the web server on port 80 from outside, you need to create a static NAT command between dmz and outside ( something that you have done already) and also allow port 80 on the outside acl (which you have done already as well). The problem is that you have not attached the outside_in acl on the outside interface:

access-group outside_in in interface outside

After you do the above, you will be able to access the web server via 41.223.156.107 (on port 80 though, NOT on 8080)

OK??

Well im really sorry for my insistence or for being so hard to understand you. but one thing is for sure, since i started writting you, i´ve been improving my skill as far as asa appliance is concern.

Well as i said before and as you know i was having a problem with my internal users who couldnot access my dmz zone…but now with the above sh run config (still the latest) it seem i can reach my dmz zone specifically to the server with ip 172.16.16.80 for www, as i have installed in this server a EASY PHP WEBSERVER..and from the inside pc or network (10.1.4.x) i can access that webserver through the browser 172.16.16.80:8080 and it open that web server.

So now the problem is: the server on dmz doent have internet access…could you please help me with the right config command (access list) hat will allow server on dmz to have internet?pls

On the Other side…..from the outside, or internet i tried to reach that server on dmz through its private or translated ip address, so through the browser i type (41.223.156.106:8080)or even without the 8080…but i couldnt reach that webpage on the server on dmz.

Could you pls help me finding out why im not accessing my server on dmz??pls

Dear Admin….pls forive as im still to young and just learning about the security appliance…..remember your help could be so vital and could make such a big impact.

I thank you in advanced.

BD

To allow ping you must allow icmp echo-reply on the dmz_int access-list. Also, to allow internet access from the dmz, you must allow DNS udp 53 on the dmz_int access list as well.

As you may know im stil struggling in getting my inside network to access or communicate to my dmz .

As i got another ASA5520 for my test, so i have configured the other asa, and according to this configuration bellow, i have installed a the EASYphp web server on the Server with 172.16.16.80 the wwww on the dmz. so now, from the inside network i can access that page, but i got dont get successfull ping like for instence at the same server with 172.16.16.80 even though i can access the web server on it through the easy php applic.

The other thing is that i dont have internet connection on my dmz, i mean the servers with 172.16.16.80 the www and 172.16.16.25 emal server

However, my concern is……does it really means that my inside network is communicating with the dmx now?
How do i enable reall ping?? is there any command to enable ping?

Dear BlogAdmin, according to my config bellow, can you recheck it for me if i have missed anything else.

Why im not getting succeessfull ping to dmz?but it can open the web server i have installed on server on the dmz? why im not getting internet on the dmz? can you pls help?
What other real test i should make to make sure im reaching my dmz? since right now i dont have yet the www and smtp email server running?

Dear BlogAdmin, i should always thank you so much for your time and cooperation, and remember that ant single help from you will be highly appretiated.

Thanx in advanced:

ciscoasa(config)# sh run
: Saved
:
ASA Version 7.0(8)
!
hostname ciscoasa
domain-name parlamento.ao
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
dns-guard
!
interface GigabitEthernet0/0
description Link to Gateway
nameif outside
security-level 0
ip address 41.223.156.109 255.255.255.248
!
interface GigabitEthernet0/1
description Link to Local Lan
nameif inside
security-level 100
ip address 10.1.4.1 255.255.252.0
!
interface GigabitEthernet0/2
description Link to dmz
nameif dmz
security-level 50
ip address 172.16.16.1 255.255.255.0
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
access-list outside_in extended permit tcp any host 41.223.156.106 eq smtp
access-list outside_in extended permit tcp any host 41.223.156.107 eq www
access-list dmz_int extended permit tcp host 172.16.16.25 any eq smtp
access-list dmz_int extended permit tcp host 172.16.16.80 any eq www
access-list outside_int extended permit tcp any host 41.223.156.106 eq smtp
access-list outside_int extended permit icmp any any
access-list INSIDE extended permit ip 10.1.4.0 255.255.252.0 any
access-list OUT-TO-DMZ extended permit icmp any any log
access-list OUT-TO-DMZ extended deny ip any any
access-list inside extended permit tcp any any eq pop3
access-list inside extended permit tcp any any eq smtp
access-list inside extended permit tcp any any eq ssh
access-list inside extended permit tcp any any eq https
access-list inside extended permit udp any any eq domain
access-list inside extended permit tcp any any eq domain
access-list inside extended permit tcp any any eq www
access-list inside extended permit ip any any
access-list inside extended permit icmp any any
access-list dmz extended permit ip any any
access-list dmz extended permit icmp any any
access-list DMZ_IN extended permit icmp any any echo
access-list 101 extended permit icmp any any echo-reply
access-list cap extended permit ip 172.16.16.0 255.255.255.0 10.1.4.0 255.255.252.0
access-list cap extended permit ip 10.1.4.0 255.255.252.0 172.16.16.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
mtu dmz 1500
no failover
asdm image disk0:/asdm-508.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
global (dmz) 1 interface
nat (inside) 1 10.1.4.0 255.255.252.0
static (inside,dmz) 10.1.4.0 10.1.4.0 netmask 255.255.252.0
static (dmz,outside) 41.223.156.106 172.16.16.25 netmask 255.255.255.255
static (dmz,outside) 41.223.156.107 172.16.16.80 netmask 255.255.255.255
access-group dmz_int in interface dmz
access-group inside in interface inside

route outside 0.0.0.0 0.0.0.0 41.223.156.108 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
username tchipa password JUU.kVt2Und.Vd23 encrypted privilege 15
aaa authentication ssh console LOCAL
http server enable
http 10.1.4.100 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh 10.1.4.100 255.255.255.255 inside
ssh timeout 10
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
!
service-policy global_policy global
Cryptochecksum:48ba8cf4e31f2940e44293256d84ce38
: end

BD

I did accordingly to your above statement, and everything is back to normal, i mean the inside network now can access internet back, and thank you so much for your precious time and cooperation for being there as great IT professional, and as well for sharing your vision….i thank you Sir.

So by the way, the internal network still cannot reach my dmz.
Anyone can help according to the ASA 5520 v7 sh run please?

BD

Put back the nat statements as below:

nat (inside) 1 10.1.4.0 255.255.255.0
global (outside) 1 interface
global (dmz) 1 interface

and remove the nat 0 command:

no nat (inside) 0 access-list nonat

I have procceede accordingly exactly as you said….
but unfortunatly it still didnt work…..insteady, after that i have no internet at all…

All the Inside PC or my entire network has no internet connection…it fails automatically after that…

How do i remove the above commands pls… i need the internet back or to bring back everything as before pls.

And as for my issue…any other clear idea why im not accessing my dmz from the inside network??

BD

no nat (inside) 1 10.1.4.0 255.255.255.0
no global (dmz) 2 interface
global (dmz) 1 interface

My appology for not being able to give you the feedback of your last reply to my quations coz i´ve been out for work to a place with no internet accesas. my problem was that my internal PCs cannot reach my dmz.

Last reply of you, you said i should remove this static :static (inside,dmz) 10.1.4.0 10.1.4.0 netmask 255.255.252.0 coz when i past it, it still didnt work.

So then you said, if my problem is just the communication between inside to dmz, i should do this:

First Remove the static NAT, and then do the following:
global (dmz) 2 interface
nat (inside) 2 10.1.4.0 255.255.252.0

well i did it, i past the global (dmz) 2 interface
and when i past this; nat (inside) 2 10.1.4.0 255.255.252.0 it said duplicated entry….result my internal PCs still cannot access my server on dmz.

Dear BlogAdmin….im really so disparated and sorry for that. so any other help please?

by the way i have pasted my updated ASA sh run so you can have a better idea.

:
ASA Version 7.0(8)
!
hostname ASA2
domain-name assembleia.ao
enable password YVYn8G/3D1COct9U encrypted
passwd YVYn8G/3D1COct9U encrypted
names
dns-guard
!
interface GigabitEthernet0/0
description “Link-To-GW-Router”
nameif outside
security-level 0
ip address 41.223.xx.xx 255.255.255.0
!
interface GigabitEthernet0/1
description Link To Local Lan
nameif inside
security-level 100
ip address 10.1.4.x 255.255.255.0
!
interface GigabitEthernet0/2
description “Link-To-DMZ”
nameif dmz
security-level 50
ip address 172.16.16.1 255.255.255.0
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
access-list INSIDE extended permit ip 10.1.4.x 255.255.255.0 any
access-list OUT-TO-DMZ extended permit tcp any host 41.223.xx.xx eq smtp
access-list OUT-TO-DMZ extended permit tcp any host 41.223.xx.xx eq www
access-list OUT-TO-DMZ extended permit icmp any any log
access-list OUT-TO-DMZ extended deny ip any any
access-list OUT-TO-DMZ extended permit tcp any host 41.223.xx.xx eq www
access-list inside extended permit tcp any any eq pop3
access-list inside extended permit tcp any any eq smtp
access-list inside extended permit tcp any any eq ssh
access-list inside extended permit tcp any any eq telnet
access-list inside extended permit tcp any any eq https
access-list inside extended permit udp any any eq domain
access-list inside extended permit tcp any any eq domain
access-list inside extended permit tcp any any eq www
access-list inside extended permit ip any any
access-list inside extended permit icmp any any
access-list dmz extended permit ip any any
access-list dmz extended permit icmp any any
access-list DMZ_IN extended permit icmp any any echo
access-list 101 extended permit icmp any any echo-reply
access-list 101 extended permit icmp any any source-quench
access-list 101 extended permit icmp any any unreachable
access-list 101 extended permit icmp any any time-exceeded
access-list cap extended permit ip 172.16.16.0 255.255.255.0 10.1.4.0 255.255.25
5.0
access-list cap extended permit ip 10.1.4.0 255.255.255.0 172.16.16.0 255.255.25
5.0
access-list nonat extended permit ip 10.1.4.0 255.255.255.0 172.16.16.0 255.255.
255.0
pager lines 24
mtu outside 1500
mtu inside 1500
mtu dmz 1500
no failover
asdm image disk0:/asdm-508.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (dmz) 2 interface
nat (inside) 0 access-list nonat
nat (inside) 1 10.1.4.0 255.255.255.0
nat (inside) 1 10.1.4.0 255.255.252.0
static (dmz,outside) tcp 41.223.XX.XX www 172.16.16.80 www netmask 255.255.255
.255
static (dmz,outside) tcp 41.223.XX.XX smtp 172.16.16.25 smtp netmask 255.255.2
55.255
access-group OUT-TO-DMZ in interface outside
access-group inside in interface inside
access-group dmz in interface dmz
route outside 0.0.0.0 0.0.0.0 41.223.XX.XX 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
username tchipa password JUU.kVt2Und.Vd23 encrypted privilege 15
http server enable
http 10.1.4.0 255.255.255.0 inside
http 10.1.6.0 255.255.255.0 inside
http 10.1.7.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh 10.1.4.0 255.255.255.255 inside
ssh 10.1.5.0 255.255.255.255 inside
ssh 10.1.6.0 255.255.255.255 inside
ssh 10.1.7.0 255.255.255.255 inside
ssh timeout 5
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
!
service-policy global_policy global
Cryptochecksum:1442681c2a378d10f026df4cf1005452
: end

Pls help.

thatnx for your repply

By the way, you mean i should remove this static :

static (inside,dmz) 10.1.4.0 10.1.4.0 netmask 255.255.252.0

and past this one above:

global (dmz) 2 interface
nat (inside) 2 10.1.4.0 255.255.252.0

right?

And according to my router theres nothing that could stop or block any acces right.

Thank you so much

BD