Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
837
Views
0
Helpful
3
Replies

ASA 5505 Access between inside and DMZ config

Derek McCormick
Level 1
Level 1

‎12-23-2014 01:44 AM - edited ‎03-11-2019 10:15 PM

Hi

 

I have a ASA 5505 runing 8.2.5 software and i am trying to configure access between the inside network and the DMZ and vice versa. My inside network is 172.16.1.0/24 and my DMZ network is 172.16.2.0/24.My background is Cisco UC, so my firewall knowledge is very basic. Does anybody have a simple configuration for this scenario.

 

Thanks in advnce,

Derek

Labels:
0 Helpful
3 Replies 3

will
Level 3
Level 3

‎12-23-2014 11:21 AM

hi Derek, here are some general ideas, keeping in mind you need the correct licensing level on the ASA 5505 before you can even do the steps. most 5505 devices are not licensed at that level, so you may run into this limitation. Need this ASA license level:

ASA5505-SEC-BUN-K9
L-ASA5505-SEC-PL=

This allows the DMZ-INSIDE communication.

Then you would configure something like this:

nat0 (inside, dmz) 172.16.2.0/24 172.16.1.0/24

the key is Nat0  (note the zero). Also, you would want to configure the appropriate ACL's on the Inside and DMZ interfaces. its probably easier to create inbound traffic ACL's, designating which traffic you want to originate from each subnet to the other.

0 Helpful

Derek McCormick
Level 1
Level 1
In response to will

‎12-24-2014 01:28 AM

Hi Will,

 

That command is not supported in 8.2.5 software. Is there an equivilent command?

 

Cheers,
Derek

0 Helpful

will
Level 3
Level 3
In response to Derek McCormick

‎12-24-2014 02:31 AM

hi Derek, nat changed a lot from 8.2->8.3. im pretty sure that 8.2.5 still supports Nat 0. Its 8.3 and higher that doesn't support it. Are you talking about 8.5 release? Anyway, here is another post which briefly goes over the differences:

https://supportforums.cisco.com/document/33921/asa-pre-83-83-nat-configuration-examples

Here is a specific example of no-nat in 8.3 and higher:

https://www.fir3net.com/Firewalls/Cisco/cisco-asa-83-no-nat-nat-exemption.html

notice the use of "static," and the same object name repeated twice. this basically means make a one-to-one IP mapping (static) with the object XYZ IP on one side keeping the same object XYZ IP on the other side.

8.3 and higher really "boogered" up NAT on the ASA, so it has got a big learning curve around it. A lot of these NAT CLI commands in 8.3 and higher are not very intuitive. Its better to used the ASDM and let it "poop" out the command. :)

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card