topic It sounds like you need in Network Security https://community.cisco.com/t5/network-security/asa-5506-nat-issues/m-p/2874112#M172391 <P>It sounds like you need something like:</P> <P></P> <PRE class="prettyprint"><SPAN>access-list DMZ_access_in extended permit ip object Webshop any</SPAN></PRE> Fri, 19 Feb 2016 13:19:14 GMT Philip D'Ath 2016-02-19T13:19:14Z ASA 5506 NAT issues. https://community.cisco.com/t5/network-security/asa-5506-nat-issues/m-p/2874111#M172390 <P>Hi there...</P> <P></P> <P>I have recently installed a 5506 at a customer WHO has two servers that needs NAT.</P> <P>One of them is a web server on a DMZ and i have enabled NAT with a public ip on src: DMZ, dest.:OUTSIDE.</P> <P>Also i have made two access rules that</P> <UL> <LI>allows OUTSIDE to access the webserver by http/https</LI> <LI>allows webserver to access an INSIDE server on port 587.</LI> </UL> <P></P> <P>it works.. well allmost. The web server cannot access the internet for some reason so i tried to make an access rule that</P> <UL> <LI>allows webserserver to access OUTSIDE on ip</LI> </UL> <P></P> <P>object network Applikation<BR />&nbsp;host 192.168.2.2</P> <P>object network Webshop<BR />&nbsp;host 192.168.253.2</P> <P></P> <P>access-list DMZ_access_in extended permit ip object Webshop interface outside <BR />access-list DMZ_access_in extended permit object-group DM_INLINE_SERVICE_1 object Webshop object Applikation</P> <P>...</P> <P>object network Webshop<BR />&nbsp;nat (DMZ,outside) static &lt;public IP&gt;</P> <P></P> <P>I am new on Cisco (well its&nbsp;about 14 years since i had anything to do with them) so any explanations would be great.</P> <P></P> <P></P> Tue, 12 Mar 2019 07:21:32 GMT https://community.cisco.com/t5/network-security/asa-5506-nat-issues/m-p/2874111#M172390 jm 2019-03-12T07:21:32Z It sounds like you need https://community.cisco.com/t5/network-security/asa-5506-nat-issues/m-p/2874112#M172391 <P>It sounds like you need something like:</P> <P></P> <PRE class="prettyprint"><SPAN>access-list DMZ_access_in extended permit ip object Webshop any</SPAN></PRE> Fri, 19 Feb 2016 13:19:14 GMT https://community.cisco.com/t5/network-security/asa-5506-nat-issues/m-p/2874112#M172391 Philip D'Ath 2016-02-19T13:19:14Z Hi Philip and thanks. https://community.cisco.com/t5/network-security/asa-5506-nat-issues/m-p/2874113#M172392 <P>Hi Philip and thanks.</P> <P>Well i have tried that but it opens op for access to all. That Means my webserver also have access to the inside Network.</P> <P>So i have to make deny rules on inside to block the things i dont want in there?</P> Fri, 19 Feb 2016 13:24:58 GMT https://community.cisco.com/t5/network-security/asa-5506-nat-issues/m-p/2874113#M172392 jm 2016-02-19T13:24:58Z Yes in that case before the https://community.cisco.com/t5/network-security/asa-5506-nat-issues/m-p/2874114#M172393 <P>Yes in that case before the line put in another line denying it access to the internal network.</P> <P></P> <P>So something like:</P> <PRE class="prettyprint prettyprinted"><SPAN><SPAN class="pln">access</SPAN><SPAN class="pun">-</SPAN><SPAN class="pln">list DMZ_access_in extended permit ip </SPAN><SPAN class="kwd">object</SPAN><SPAN class="pln"> </SPAN><SPAN class="typ">Webshop</SPAN><SPAN class="pln"> object application<BR /></SPAN></SPAN><SPAN><SPAN class="pln">access</SPAN><SPAN class="pun">-</SPAN><SPAN class="pln">list DMZ_access_in extended deny ip </SPAN><SPAN class="kwd">object</SPAN><SPAN class="pln"> </SPAN><SPAN class="typ">Webshop</SPAN><SPAN class="pln"> 192.168.2.0 255.255.255.0<BR /></SPAN></SPAN><SPAN><SPAN class="pln">access</SPAN><SPAN class="pun">-</SPAN><SPAN class="pln">list DMZ_access_in extended permit ip </SPAN><SPAN class="kwd">object</SPAN><SPAN class="pln"> </SPAN><SPAN class="typ">Webshop</SPAN><SPAN class="pln"> any</SPAN></SPAN></PRE> Fri, 19 Feb 2016 13:27:41 GMT https://community.cisco.com/t5/network-security/asa-5506-nat-issues/m-p/2874114#M172393 Philip D'Ath 2016-02-19T13:27:41Z Thanks. That worked :) https://community.cisco.com/t5/network-security/asa-5506-nat-issues/m-p/2874115#M172394 <P>Thanks. That worked <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> <P></P> <P>Have a nice weekend.</P> <P></P> <P>Johnny</P> Fri, 19 Feb 2016 13:52:55 GMT https://community.cisco.com/t5/network-security/asa-5506-nat-issues/m-p/2874115#M172394 jm 2016-02-19T13:52:55Z