Solved: Re: ASA & DMZ

qumarce-habibzadeh · ‎04-22-2026

Hello everyone, this is my first experience with ASA in GNS3. My PC3 from outside cannot communicate with the DMZ. What should I change? Thanks in advance

********************

ASA Version 9.8(3)

!

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address 172.16.1.2 255.255.0.0

!

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface GigabitEthernet0/2

nameif DMZ

security-level 50

ip address 20.20.20.1 255.255.255.0

!

object network inside-net

subnet 192.168.1.0 255.255.255.0

object network DMZ-net

host 20.20.20.20

access-list 101 extended permit ip any any

access-list 101 extended permit tcp any any

access-list 101 extended permit icmp any any

access-list DMZ extended permit ip any any

access-list DMZ extended permit tcp any any

access-list DMZ extended permit icmp any any

!

object network inside-net

nat (inside,outside) dynamic interface

object network DMZ-net

nat (DMZ,outside) static 172.16.1.1

access-group DMZ in interface outside

access-group DMZ out interface outside

router rip

network 20.0.0.0

network 172.16.0.0

network 192.168.1.0

version 2

!

route outside 0.0.0.0 0.0.0.0 172.16.1.1 1

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

no tcp-inspection

policy-map global_policy

class inspection_default

inspect ip-options

inspect icmp

!

service-policy global_policy global

: end

Rob Ingram · ‎04-23-2026

@qumarce-habibzadeh if the DMZ servers have publically routeable IP addresses then NAT is not required.

View solution in original post

Rob Ingram · ‎04-22-2026

@qumarce-habibzadeh you've create a static NAT for the DMZ host "DMZ-net" using an IP address of 172.16.1.1 which is the same IP address as the next hop for your default gateway. You would need to change the NAT IP address so it does not conflict with the default gateway.

object network DMZ-net
 nat (DMZ,outside) static 172.16.1.1

!
route outside 0.0.0.0 0.0.0.0 172.16.1.1 1

Jonatan Jonasson · ‎04-22-2026

see you're NAT-ing the 20.20.20.20 to 172.16.1.1, and the default route is also pointing to 172.16.1.1.

Either one of those is incorrect. If the router has 172.16.1.1, then you can't also use that for the static nat.
If the router has another ip address, then the default route is incorrect and doesn't point to the router.

How are you testing the reachability from PC3?

---
Please mark helpful answers & solutions
---

qumarce-habibzadeh · ‎04-22-2026

Hello all together!

I changed so: ASA(config-network-object)# nat (DMZ,outside) static 172.16.1.0

The ICMP from PC2 (DMZ) to PC3 (Outside) is psitive but from outside to DMZ is not possible.

Which IP-Address ist the best for Static?

qumarce-habibzadeh · ‎04-22-2026

From GNS3 I get this message:

Warning: ASAv platform license state is Unlicensed.
Install ASAv platform license for full functionality.

How can I fix it?

qumarce-habibzadeh · ‎04-22-2026

I changed static ip to 20.20.20.1 and I put a new PC4 into DMZ whit ip 20.20.20.21.

It works, but I don’t know wahy not whit 20.20.20.20 ??

PC3> ping 20.20.20.21

84 bytes from 20.20.20.21 icmp_seq=1 ttl=63 time=30.760 ms

84 bytes from 20.20.20.21 icmp_seq=2 ttl=63 time=31.479 ms

84 bytes from 20.20.20.21 icmp_seq=3 ttl=63 time=31.429 ms

84 bytes from 20.20.20.21 icmp_seq=4 ttl=63 time=31.297 ms

84 bytes from 20.20.20.21 icmp_seq=5 ttl=63 time=31.623 ms

PC2> ping 10.10.10.10

84 bytes from 10.10.10.10 icmp_seq=1 ttl=63 time=32.438 ms

84 bytes from 10.10.10.10 icmp_seq=2 ttl=63 time=32.463 ms

84 bytes from 10.10.10.10 icmp_seq=3 ttl=63 time=32.989 ms

84 bytes from 10.10.10.10 icmp_seq=4 ttl=63 time=33.069 ms

84 bytes from 10.10.10.10 icmp_seq=5 ttl=63 time=32.990 ms

Rob Ingram · ‎04-22-2026

@qumarce-habibzadeh I expect 20.20.20.21 responds because you don't have NAT object for it, therefore it's routed?

Provide R1 configuration and the updated ASA configuration rather than have us guess.

You can ignore the license warning in the lab, throughput is just throttled, else buying a license would stop the license warning!

qumarce-habibzadeh · ‎04-22-2026

Thank you Rob!!!

qumarce-habibzadeh · ‎04-23-2026

Hi Rob,

here what you would!

*********

ASA Version 9.8(3)

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address 172.16.1.2 255.255.255.252

!

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface GigabitEthernet0/2

nameif DMZ

security-level 50

ip address 20.20.20.1 255.255.255.0

object network inside-net

subnet 192.168.1.0 255.255.255.0

object network DMZ-net

host 20.20.20.20

access-list 101 extended permit ip any any

access-list 101 extended permit tcp any any

access-list 101 extended permit icmp any any

access-list DMZ extended permit ip any any

access-list DMZ extended permit tcp any any

access-list DMZ extended permit icmp any any

!

object network inside-net

nat (inside,outside) dynamic interface

object network DMZ-net

nat (DMZ,outside) static 20.20.20.1

access-group DMZ in interface outside

access-group DMZ out interface outside

router rip

network 20.0.0.0

network 172.16.0.0

network 192.168.1.0

version 2

!

route outside 0.0.0.0 0.0.0.0 172.16.1.1 1

: end

ASA#

qumarce-habibzadeh · ‎04-23-2026

Hi

I put Access-group DMZ in / out interface DMZ and change IP of PC2 to 20.20.20.22.

Connection between OUTSIDE and DMZ ist well.

Rob Ingram · ‎04-23-2026

@qumarce-habibzadeh 20.20.20.22 is being routed (same as 20.20.20.21) as there is no specific NAT rule. Your NAT rule for object "DMZ-net" is incorrect which is why 20.20.20.1 did not work.

qumarce-habibzadeh · ‎04-23-2026

Hi Rob!

It will be thanksful, when you look at my Config and show me which IP is the correct for DMZ static:

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address 172.16.1.2 255.255.255.252

!

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface GigabitEthernet0/2

nameif DMZ

security-level 50

ip address 20.20.20.1 255.255.255.0

!

object network inside-net

subnet 192.168.1.0 255.255.255.0

object network DMZ-net

host 20.20.20.20

access-list 101 extended permit ip any any

access-list 101 extended permit tcp any any

access-list 101 extended permit icmp any any

access-list DMZ extended permit ip any any

access-list DMZ extended permit tcp any any

access-list DMZ extended permit icmp any any

!

object network inside-net

nat (inside,outside) dynamic interface

object network DMZ-net

nat (DMZ,outside) static 20.20.20.1

access-group DMZ in interface outside

access-group DMZ out interface outside

access-group DMZ in interface DMZ

access-group DMZ out interface DMZ

router rip

network 20.0.0.0

network 172.16.0.0

network 192.168.1.0

version 2

!

route outside 0.0.0.0 0.0.0.0 172.16.1.1 1

!

: end

ASA#

Rob Ingram · ‎04-23-2026

@qumarce-habibzadeh you cannot NAT the DMZ host behind the ASA's DMZ interface, you have to NAT it behind the ASA's outside interface or an IP address in the same network as the outside interface or another network that is routed to the outside interface of the ASA.

Because you are now using a /30 you cannot use another IP address in the same network as the outside interface, change it to a /24 then use a spare IP address. Change the PC back to the IP 20.20.20.20 so it will be translated.

Example:-

interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address 172.16.1.2 255.255.255.0
!
object network DMZ-net
 host 20.20.20.20
 nat (DMZ,outside) static 172.16.1.20

Ensure the subnet mask of the R1 F0/0 interface is a /24 - 172.16.1.1/255.255.255.0

qumarce-habibzadeh · ‎04-23-2026

@rob

I did it, but there is no connection from 10.10.10.10 to 20.20.20.20!

Other connection are well!

PC3> ping 20.20.20.20

20.20.20.20 icmp_seq=1 timeout

20.20.20.20 icmp_seq=2 timeout

20.20.20.20 icmp_seq=3 timeout

20.20.20.20 icmp_seq=4 timeout

20.20.20.20 icmp_seq=5 timeout

PC3> ping 20.20.20.21

84 bytes from 20.20.20.21 icmp_seq=1 ttl=63 time=30.866 ms

84 bytes from 20.20.20.21 icmp_seq=2 ttl=63 time=30.840 ms

84 bytes from 20.20.20.21 icmp_seq=3 ttl=63 time=31.555 ms

84 bytes from 20.20.20.21 icmp_seq=4 ttl=63 time=31.113 ms

84 bytes from 20.20.20.21 icmp_seq=5 ttl=63 time=31.898 ms

Rob Ingram · ‎04-23-2026

@qumarce-habibzadeh but if you are NATTING then you'd need to ping the NAT IP address (assuming the traffic is permitted in the firewall rule). If you want to ping the real IP address (20.20.20.20) then delete the NAT object.