topic Re: ASA & DMZ in Network Security

ASA & DMZ

qumarce-habibzadeh — Wed, 22 Apr 2026 15:58:25 GMT

Hello everyone, this is my first experience with ASA in GNS3. My PC3 from outside cannot communicate with the DMZ. What should I change? Thanks in advance

********************

ASA Version 9.8(3)

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address 172.16.1.2 255.255.0.0

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

interface GigabitEthernet0/2

nameif DMZ

security-level 50

ip address 20.20.20.1 255.255.255.0

object network inside-net

subnet 192.168.1.0 255.255.255.0

object network DMZ-net

host 20.20.20.20

access-list 101 extended permit ip any any

access-list 101 extended permit tcp any any

access-list 101 extended permit icmp any any

access-list DMZ extended permit ip any any

access-list DMZ extended permit tcp any any

access-list DMZ extended permit icmp any any

object network inside-net

nat (inside,outside) dynamic interface

object network DMZ-net

nat (DMZ,outside) static 172.16.1.1

access-group DMZ in interface outside

access-group DMZ out interface outside

router rip

network 20.0.0.0

network 172.16.0.0

network 192.168.1.0

version 2

route outside 0.0.0.0 0.0.0.0 172.16.1.1 1

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

no tcp-inspection

policy-map global_policy

class inspection_default

inspect ip-options

inspect icmp

service-policy global_policy global

: end

Re: ASA & DMZ

Rob Ingram — Wed, 22 Apr 2026 17:23:32 GMT

@qumarce-habibzadeh you've create a static NAT for the DMZ host "DMZ-net" using an IP address of 172.16.1.1 which is the same IP address as the next hop for your default gateway. You would need to change the NAT IP address so it does not conflict with the default gateway.

object network DMZ-net
 nat (DMZ,outside) static 172.16.1.1

!
route outside 0.0.0.0 0.0.0.0 172.16.1.1 1

Re: ASA & DMZ

Jonatan Jonasson — Wed, 22 Apr 2026 17:27:58 GMT

see you're NAT-ing the 20.20.20.20 to 172.16.1.1, and the default route is also pointing to 172.16.1.1.

Either one of those is incorrect. If the router has 172.16.1.1, then you can't also use that for the static nat.
If the router has another ip address, then the default route is incorrect and doesn't point to the router.

How are you testing the reachability from PC3?

Re: ASA & DMZ

qumarce-habibzadeh — Wed, 22 Apr 2026 18:04:30 GMT

Hello all together!

I changed so: ASA(config-network-object)# nat (DMZ,outside) static 172.16.1.0

The ICMP from PC2 (DMZ) to PC3 (Outside) is psitive but from outside to DMZ is not possible.

Which IP-Address ist the best for Static?

Re: ASA & DMZ

qumarce-habibzadeh — Wed, 22 Apr 2026 18:31:50 GMT

From GNS3 I get this message:

Warning: ASAv platform license state is Unlicensed.
Install ASAv platform license for full functionality.

How can I fix it?

Re: ASA & DMZ

qumarce-habibzadeh — Wed, 22 Apr 2026 18:42:48 GMT

I changed static ip to 20.20.20.1 and I put a new PC4 into DMZ whit ip 20.20.20.21.

It works, but I don’t know wahy not whit 20.20.20.20 ??

PC3> ping 20.20.20.21

84 bytes from 20.20.20.21 icmp_seq=1 ttl=63 time=30.760 ms

84 bytes from 20.20.20.21 icmp_seq=2 ttl=63 time=31.479 ms

84 bytes from 20.20.20.21 icmp_seq=3 ttl=63 time=31.429 ms

84 bytes from 20.20.20.21 icmp_seq=4 ttl=63 time=31.297 ms

84 bytes from 20.20.20.21 icmp_seq=5 ttl=63 time=31.623 ms

PC2> ping 10.10.10.10

84 bytes from 10.10.10.10 icmp_seq=1 ttl=63 time=32.438 ms

84 bytes from 10.10.10.10 icmp_seq=2 ttl=63 time=32.463 ms

84 bytes from 10.10.10.10 icmp_seq=3 ttl=63 time=32.989 ms

84 bytes from 10.10.10.10 icmp_seq=4 ttl=63 time=33.069 ms

84 bytes from 10.10.10.10 icmp_seq=5 ttl=63 time=32.990 ms

Re: ASA & DMZ

Rob Ingram — Wed, 22 Apr 2026 19:00:42 GMT

@qumarce-habibzadeh I expect 20.20.20.21 responds because you don't have NAT object for it, therefore it's routed?

Provide R1 configuration and the updated ASA configuration rather than have us guess.

You can ignore the license warning in the lab, throughput is just throttled, else buying a license would stop the license warning!

Re: ASA & DMZ

qumarce-habibzadeh — Wed, 22 Apr 2026 19:15:10 GMT

Thank you Rob!!!

Re: ASA & DMZ

qumarce-habibzadeh — Thu, 23 Apr 2026 13:29:29 GMT

Hi Rob,

here what you would!

*********

ASA Version 9.8(3)

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address 172.16.1.2 255.255.255.252

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

interface GigabitEthernet0/2

nameif DMZ

security-level 50

ip address 20.20.20.1 255.255.255.0

object network inside-net

subnet 192.168.1.0 255.255.255.0

object network DMZ-net

host 20.20.20.20

access-list 101 extended permit ip any any

access-list 101 extended permit tcp any any

access-list 101 extended permit icmp any any

access-list DMZ extended permit ip any any

access-list DMZ extended permit tcp any any

access-list DMZ extended permit icmp any any

object network inside-net

nat (inside,outside) dynamic interface

object network DMZ-net

nat (DMZ,outside) static 20.20.20.1

access-group DMZ in interface outside

access-group DMZ out interface outside

router rip

network 20.0.0.0

network 172.16.0.0

network 192.168.1.0

version 2

route outside 0.0.0.0 0.0.0.0 172.16.1.1 1

: end

ASA#

Re: ASA & DMZ

qumarce-habibzadeh — Thu, 23 Apr 2026 14:44:45 GMT

I put Access-group DMZ in / out interface DMZ and change IP of PC2 to 20.20.20.22.

Connection between OUTSIDE and DMZ ist well.

Re: ASA & DMZ

Rob Ingram — Thu, 23 Apr 2026 15:03:45 GMT

@qumarce-habibzadeh 20.20.20.22 is being routed (same as 20.20.20.21) as there is no specific NAT rule. Your NAT rule for object "DMZ-net" is incorrect which is why 20.20.20.1 did not work.

Re: ASA & DMZ

qumarce-habibzadeh — Thu, 23 Apr 2026 15:03:20 GMT

Hi Rob!

It will be thanksful, when you look at my Config and show me which IP is the correct for DMZ static:

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address 172.16.1.2 255.255.255.252

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

interface GigabitEthernet0/2

nameif DMZ

security-level 50

ip address 20.20.20.1 255.255.255.0

object network inside-net

subnet 192.168.1.0 255.255.255.0

object network DMZ-net

host 20.20.20.20

access-list 101 extended permit ip any any

access-list 101 extended permit tcp any any

access-list 101 extended permit icmp any any

access-list DMZ extended permit ip any any

access-list DMZ extended permit tcp any any

access-list DMZ extended permit icmp any any

object network inside-net

nat (inside,outside) dynamic interface

object network DMZ-net

nat (DMZ,outside) static 20.20.20.1

access-group DMZ in interface outside

access-group DMZ out interface outside

access-group DMZ in interface DMZ

access-group DMZ out interface DMZ

router rip

network 20.0.0.0

network 172.16.0.0

network 192.168.1.0

version 2

route outside 0.0.0.0 0.0.0.0 172.16.1.1 1

: end

ASA#

Re: ASA & DMZ

Rob Ingram — Thu, 23 Apr 2026 15:12:13 GMT

@qumarce-habibzadeh you cannot NAT the DMZ host behind the ASA's DMZ interface, you have to NAT it behind the ASA's outside interface or an IP address in the same network as the outside interface or another network that is routed to the outside interface of the ASA.

Because you are now using a /30 you cannot use another IP address in the same network as the outside interface, change it to a /24 then use a spare IP address. Change the PC back to the IP 20.20.20.20 so it will be translated.

Example:-

interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address 172.16.1.2 255.255.255.0
!
object network DMZ-net
 host 20.20.20.20
 nat (DMZ,outside) static 172.16.1.20

Ensure the subnet mask of the R1 F0/0 interface is a /24 - 172.16.1.1/255.255.255.0

Re: ASA & DMZ

qumarce-habibzadeh — Thu, 23 Apr 2026 15:58:58 GMT

@rob

I did it, but there is no connection from 10.10.10.10 to 20.20.20.20!

Other connection are well!

PC3> ping 20.20.20.20

20.20.20.20 icmp_seq=1 timeout

20.20.20.20 icmp_seq=2 timeout

20.20.20.20 icmp_seq=3 timeout

20.20.20.20 icmp_seq=4 timeout

20.20.20.20 icmp_seq=5 timeout

PC3> ping 20.20.20.21

84 bytes from 20.20.20.21 icmp_seq=1 ttl=63 time=30.866 ms

84 bytes from 20.20.20.21 icmp_seq=2 ttl=63 time=30.840 ms

84 bytes from 20.20.20.21 icmp_seq=3 ttl=63 time=31.555 ms

84 bytes from 20.20.20.21 icmp_seq=4 ttl=63 time=31.113 ms

84 bytes from 20.20.20.21 icmp_seq=5 ttl=63 time=31.898 ms

Re: ASA & DMZ

Rob Ingram — Thu, 23 Apr 2026 16:03:15 GMT

@qumarce-habibzadeh but if you are NATTING then you'd need to ping the NAT IP address (assuming the traffic is permitted in the firewall rule). If you want to ping the real IP address (20.20.20.20) then delete the NAT object.

Re: ASA & DMZ

qumarce-habibzadeh — Thu, 23 Apr 2026 16:17:28 GMT

Dear Rob!

I changed it so and everything go well!

ASA(config)# object network DMZ-net

ASA(config-network-object)# host 20.20.20.1

ASA(config-network-object)# nat (DMZ,outside) static 172.16.1.20

PC3> ping 20.20.20.20

84 bytes from 20.20.20.20 icmp_seq=1 ttl=63 time=30.551 ms

84 bytes from 20.20.20.20 icmp_seq=2 ttl=63 time=31.396 ms

84 bytes from 20.20.20.20 icmp_seq=3 ttl=63 time=31.411 ms

84 bytes from 20.20.20.20 icmp_seq=4 ttl=63 time=30.852 ms

84 bytes from 20.20.20.20 icmp_seq=5 ttl=63 time=31.120 ms

PC2> ping 10.10.10.10

84 bytes from 10.10.10.10 icmp_seq=1 ttl=63 time=33.517 ms

84 bytes from 10.10.10.10 icmp_seq=2 ttl=63 time=33.297 ms

84 bytes from 10.10.10.10 icmp_seq=3 ttl=63 time=32.445 ms

84 bytes from 10.10.10.10 icmp_seq=4 ttl=63 time=32.800 ms

84 bytes from 10.10.10.10 icmp_seq=5 ttl=63 time=32.826 ms

Thank you for good support

Re: ASA & DMZ

Rob Ingram — Thu, 23 Apr 2026 16:24:29 GMT

@qumarce-habibzadeh well it worked because you changed the object DMZ-net host address to 20.20.20.1, therefore the NAT rule did not match the ping traffic and was routed.

Re: ASA & DMZ

qumarce-habibzadeh — Thu, 23 Apr 2026 17:09:59 GMT

@rob

Is my Wey the correct Solution or not?

When not, is the DMZ whidout NAT the correct answer?

Re: ASA & DMZ

Rob Ingram — Thu, 23 Apr 2026 17:15:31 GMT

@qumarce-habibzadeh if the DMZ servers have publically routeable IP addresses then NAT is not required.