https://community.cisco.com/t5/network-security/dmz-accesing-internal-network-on-asa/m-p/1008111#M940514 <HTML><HEAD></HEAD><BODY><P>It looks like your "static (DMZ,inside) 172.25.1.1 192.168.150.33 netmask 255.255.255.255" statement is in error. Its saying that 192.168.150.33 is the same device as 172.25.1.1? I dont think you are trying to do that, take it out, then it should work.</P></BODY></HTML> Tue, 25 Mar 2008 19:23:55 GMT cjake7777 2008-03-25T19:23:55Z https://community.cisco.com/t5/network-security/dmz-accesing-internal-network-on-asa/m-p/1008106#M940501 <P>Hi people,</P><P></P><P>in a 5510 ASA I need to install some public servers in DMZ interface, some of them need to get access to internal network, however, I put a static and the access-list to do that, but logging says theres not translation between them (DMZ and Internal) what do I need to do, is there some aditional configuration?</P><P></P><P>In fac, my servers are working fine with a static and the access-list for them, and they can be accessed form internet with no problem, </P><P></P><P>can somebody help me please ??</P><P></P><P>Martin</P> Mon, 11 Mar 2019 12:21:07 GMT https://community.cisco.com/t5/network-security/dmz-accesing-internal-network-on-asa/m-p/1008106#M940501 mcelec 2019-03-11T12:21:07Z https://community.cisco.com/t5/network-security/dmz-accesing-internal-network-on-asa/m-p/1008107#M940503 <HTML><HEAD></HEAD><BODY><P>Martin,</P><P></P><P>Can you post the static and access list you are using.</P><P></P><P>Which direction are you initiating the traffic - from inside to DMZ or DMZ to inside?</P><P></P><P></P></BODY></HTML> Sun, 23 Mar 2008 17:26:01 GMT https://community.cisco.com/t5/network-security/dmz-accesing-internal-network-on-asa/m-p/1008107#M940503 sundar.palaniappan 2008-03-23T17:26:01Z https://community.cisco.com/t5/network-security/dmz-accesing-internal-network-on-asa/m-p/1008108#M940505 <HTML><HEAD></HEAD><BODY><P>Hi sundar, I need to get access from DMZ's host to inside's host (email server).</P><P></P><P>thanks for your help</P><P></P><P>Martin</P><P></P><P> </P><P></P></BODY></HTML> Tue, 25 Mar 2008 17:44:42 GMT https://community.cisco.com/t5/network-security/dmz-accesing-internal-network-on-asa/m-p/1008108#M940505 mcelec 2008-03-25T17:44:42Z https://community.cisco.com/t5/network-security/dmz-accesing-internal-network-on-asa/m-p/1008109#M940507 <HTML><HEAD></HEAD><BODY><P>It looks like the access-list "DMZ_access_in" may have an error. You are permitting the real DMZ IP address to the NAT'd inside address. Wouldn't you want to permit it to the inside server (the one you are trying to communicate with). For example:</P><P></P><P>access-list DMZ_access_in extended permit ip host 192.168.150.33 host <SERVER you="" wish="" to="" talk="" to=""> </SERVER></P><P></P></BODY></HTML> Tue, 25 Mar 2008 18:22:37 GMT https://community.cisco.com/t5/network-security/dmz-accesing-internal-network-on-asa/m-p/1008109#M940507 derrickc 2008-03-25T18:22:37Z https://community.cisco.com/t5/network-security/dmz-accesing-internal-network-on-asa/m-p/1008110#M940511 <HTML><HEAD></HEAD><BODY><P>Martin,</P><P></P><P>Yes, as the previous poster indicated you need to permit the host on the DMZ (192.168.150.33) to access the device (inside host) in your DMZ ACL. Alternatively, you can configure the DMZ host access the entire inside network as follows.</P><P></P><P>access-list DMZ_access_in extended permit ip host 192.168.150.33 172.25.1.0 255.255.255.0</P><P></P><P>HTH</P><P></P><P>Sundar</P></BODY></HTML> Tue, 25 Mar 2008 19:10:00 GMT https://community.cisco.com/t5/network-security/dmz-accesing-internal-network-on-asa/m-p/1008110#M940511 sundar.palaniappan 2008-03-25T19:10:00Z https://community.cisco.com/t5/network-security/dmz-accesing-internal-network-on-asa/m-p/1008111#M940514 <HTML><HEAD></HEAD><BODY><P>It looks like your "static (DMZ,inside) 172.25.1.1 192.168.150.33 netmask 255.255.255.255" statement is in error. Its saying that 192.168.150.33 is the same device as 172.25.1.1? I dont think you are trying to do that, take it out, then it should work.</P></BODY></HTML> Tue, 25 Mar 2008 19:23:55 GMT https://community.cisco.com/t5/network-security/dmz-accesing-internal-network-on-asa/m-p/1008111#M940514 cjake7777 2008-03-25T19:23:55Z https://community.cisco.com/t5/network-security/dmz-accesing-internal-network-on-asa/m-p/1008112#M940518 <HTML><HEAD></HEAD><BODY><P>Hi, </P><P></P><P>I modifyed the access-list</P><P></P><P>access-list DMZ_access_in extended permit ip host 192.168.150.33 172.25.1.0 255.255.255.0 </P><P></P><P>but it is not working still.</P><P></P><P>logging message:</P><P>No translation group found for icmp src DMZ:192.168.150.33 dst inside:172.25.1.1 (type8, code0)</P><P></P><P>please, any aditional comment</P><P></P><P>Martin</P><P></P><P></P><P></P><P></P></BODY></HTML> Tue, 25 Mar 2008 19:24:44 GMT https://community.cisco.com/t5/network-security/dmz-accesing-internal-network-on-asa/m-p/1008112#M940518 mcelec 2008-03-25T19:24:44Z https://community.cisco.com/t5/network-security/dmz-accesing-internal-network-on-asa/m-p/1008113#M940522 <HTML><HEAD></HEAD><BODY><P>We misunderstood your requirement. It looks like you are trying to get 192.168.150.33 talk to 172.25.1.1, correct?</P><P></P><P>If it is then change the static as follows and test.</P><P></P><P>no static (DMZ,inside) 172.25.1.1 192.168.150.33 netmask 255.255.255.255</P><P></P><P>static (DMZ,inside) 192.168.150.33 192.168.150.33 netmask 255.255.255.255</P><P></P><P>Keep the access list one of two ways.</P><P></P><P>access-list DMZ_access_in extended permit ip host 192.168.150.33 host 172.25.1.1</P><P>(or)</P><P></P><P>access-list DMZ_access_in extended permit ip host 192.168.150.33 172.25.1.0 255.255.255.0 </P><P></P><P></P></BODY></HTML> Tue, 25 Mar 2008 19:33:49 GMT https://community.cisco.com/t5/network-security/dmz-accesing-internal-network-on-asa/m-p/1008113#M940522 sundar.palaniappan 2008-03-25T19:33:49Z https://community.cisco.com/t5/network-security/dmz-accesing-internal-network-on-asa/m-p/1008114#M940527 <HTML><HEAD></HEAD><BODY><P>A way to get around "static (DMZ,inside) 192.168.150.33 192.168.150.33 netmask 255.255.255.255" is nat 0 statements. ex:</P><P>access-list 100 extended permit ip 172.25.1.0 255.255.255.0 192.168.150.0 255.255.255.0</P><P>!</P><P>nat (inside) 0 access-list 100</P><P>! </P><P>I just hate those crazy static statements....Just a suggestion</P></BODY></HTML> Tue, 25 Mar 2008 19:48:48 GMT https://community.cisco.com/t5/network-security/dmz-accesing-internal-network-on-asa/m-p/1008114#M940527 cjake7777 2008-03-25T19:48:48Z https://community.cisco.com/t5/network-security/dmz-accesing-internal-network-on-asa/m-p/1008115#M940530 <HTML><HEAD></HEAD><BODY><P>Thanx very much folks for your help,</P><P></P><P>I do not know why Static and ACL is not working yet, but, nat 0 is working, then, I gonna install nat 0 config because I really need it, but I would like to know a nice document about this configuration, somebody knows a nice pdf about that ??</P><P></P><P>Martin</P></BODY></HTML> Tue, 25 Mar 2008 22:28:39 GMT https://community.cisco.com/t5/network-security/dmz-accesing-internal-network-on-asa/m-p/1008115#M940530 mcelec 2008-03-25T22:28:39Z https://community.cisco.com/t5/network-security/dmz-accesing-internal-network-on-asa/m-p/1008116#M940531 <HTML><HEAD></HEAD><BODY><P>Martin,</P><P></P><P>The static identify nat I had suggested earlier should have worked as well. Did you do a 'clear xlate' after making the configuration change?</P><P></P><P>As you are probably aware the static identity nat and nat 0 should produce the same result, which is to pass traffic without IP translation.</P><P></P><P>The following link has examples for both.</P><P></P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/docs/security/asa/asa70/configuration/guide/cfgnat.html#wp1043458" target="_blank">http://www.cisco.com/en/US/docs/security/asa/asa70/configuration/guide/cfgnat.html#wp1043458</A></P><P></P><P>HTH</P><P></P><P>Sundar</P></BODY></HTML> Wed, 26 Mar 2008 00:14:01 GMT https://community.cisco.com/t5/network-security/dmz-accesing-internal-network-on-asa/m-p/1008116#M940531 sundar.palaniappan 2008-03-26T00:14:01Z