Buy or Renew
Buy or Renew
Meraki Community is live! Welcome Meraki Members! Learn more here.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1991
Views
0
Helpful
18
Replies

ASA & DMZ

Go to solution
qumarce-habibzadeh
Level 3
Level 3

‎04-22-2026 08:58 AM

Hello everyone, this is my first experience with ASA in GNS3. My PC3 from outside cannot communicate with the DMZ. What should I change? Thanks in advance

********************

ASA Version 9.8(3)

!

interface GigabitEthernet0/0

 nameif outside

 security-level 0

 ip address 172.16.1.2 255.255.0.0

!

interface GigabitEthernet0/1

 nameif inside

 security-level 100

 ip address 192.168.1.1 255.255.255.0

!

interface GigabitEthernet0/2

 nameif DMZ

 security-level 50

 ip address 20.20.20.1 255.255.255.0

!

object network inside-net

 subnet 192.168.1.0 255.255.255.0

object network DMZ-net

 host 20.20.20.20

access-list 101 extended permit ip any any

access-list 101 extended permit tcp any any

access-list 101 extended permit icmp any any

access-list DMZ extended permit ip any any

access-list DMZ extended permit tcp any any

access-list DMZ extended permit icmp any any

!

object network inside-net

 nat (inside,outside) dynamic interface

object network DMZ-net

 nat (DMZ,outside) static 172.16.1.1

access-group DMZ in interface outside

access-group DMZ out interface outside

router rip

 network 20.0.0.0

 network 172.16.0.0

 network 192.168.1.0

 version 2

!

route outside 0.0.0.0 0.0.0.0 172.16.1.1 1

!

class-map inspection_default

 match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

 parameters

  message-length maximum client auto

  message-length maximum 512

  no tcp-inspection

policy-map global_policy

 class inspection_default

  inspect ip-options

  inspect icmp

!

service-policy global_policy global

: end

Labels:
Preview file
53 KB
0 Helpful
18 Replies 18

Go to solution
qumarce-habibzadeh
Level 3
Level 3
In response to Rob Ingram

‎04-23-2026 09:17 AM

Dear Rob!

I changed it so and everything go well!

ASA(config)# object network DMZ-net

ASA(config-network-object)# host 20.20.20.1

ASA(config-network-object)# nat (DMZ,outside) static 172.16.1.20

PC3> ping 20.20.20.20

84 bytes from 20.20.20.20 icmp_seq=1 ttl=63 time=30.551 ms

84 bytes from 20.20.20.20 icmp_seq=2 ttl=63 time=31.396 ms

84 bytes from 20.20.20.20 icmp_seq=3 ttl=63 time=31.411 ms

84 bytes from 20.20.20.20 icmp_seq=4 ttl=63 time=30.852 ms

84 bytes from 20.20.20.20 icmp_seq=5 ttl=63 time=31.120 ms

PC2> ping 10.10.10.10

84 bytes from 10.10.10.10 icmp_seq=1 ttl=63 time=33.517 ms

84 bytes from 10.10.10.10 icmp_seq=2 ttl=63 time=33.297 ms

84 bytes from 10.10.10.10 icmp_seq=3 ttl=63 time=32.445 ms

84 bytes from 10.10.10.10 icmp_seq=4 ttl=63 time=32.800 ms

84 bytes from 10.10.10.10 icmp_seq=5 ttl=63 time=32.826 ms

Thank you for good support

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to qumarce-habibzadeh

‎04-23-2026 09:24 AM

@qumarce-habibzadeh well it worked because you changed the object DMZ-net host address to 20.20.20.1, therefore the NAT rule did not match the ping traffic and was routed.

0 Helpful

Go to solution
qumarce-habibzadeh
Level 3
Level 3
In response to Rob Ingram

‎04-23-2026 10:09 AM

@rob

Is my Wey the correct Solution or not?

When not, is the DMZ whidout NAT the correct answer?

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to qumarce-habibzadeh

‎04-23-2026 10:15 AM

@qumarce-habibzadeh if the DMZ servers have publically routeable IP addresses then NAT is not required.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card