Showing results for 
Search instead for 
Did you mean: 

ASA DMZ config issues



First time poster so please go easy... I'm having what I think is an issue with my ASA config. I'm trying to add a DMZ and its not working.

My network is somewhat unique in that I have a requirement to use all public IPs for all interfaces. so no private internal addresses on the interface side. I have both static and nat 0 items and I'm afraid this may be my problem. I'm not sure if this is correct. To add to the mix of interesting things I am setting the new interface for the DMZ up using a sub interface for the first time. I don't have access into the 6500 that feeds the DMZ vlan but I am told the port is in trunk mode with the vlan in question not set to the native vlan. I am setting it up this way as I will need to add some additional networks in the near future which this will allow me to do.

here are the basics of my config. I'm leaving out ACLs at this time for simplicity. IPs are changed all interfaces use public IPs the RFC 1918 networks you see are for a few L2L tunnels I have. It is in routed mode. I can post the whole thing if needed.

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address

interface GigabitEthernet0/2

no nameif

no security-level

no ip address

interface GigabitEthernet0/2.22

description VLAN 22 DMZ network

vlan 22

nameif DMZ

security-level 50

ip address

access-list inside_nat0_outbound extended permit ip any

access-list inside_nat0_outbound extended permit ip

access-list inside_nat0_outbound extended permit ip

access-list inside_nat0_outbound extended permit ip host

access-list inside_nat0_outbound extended permit ip any

access-list dmz_nat0_outbound extended permit ip

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 0

nat (DMZ) 0 access-list dmz_nat0_outbound

nat (DMZ) 0

static (inside,outside) netmask

static (DMZ,outside) netmask

static (inside,DMZ) netmask

access-group 101 in interface outside

access-group internal in interface inside

route outside 1

The inside interface works no problem. The DMZ interface however doesn't seem to have any traffic when I show int DMZ. I have a box in that network. I try to go out to the outside and nothing works. I try to go from inside to DMZ nothing. Part of me wonders if the 6500 is configured correctly, but everything I'm told says it is. I can't help but think my nat statements are messed up.

Please help.

1 Reply 1



I think you have a problem at the access-list dmz_nat0_outbound, the source and dest networks are equal.

And I'm not sure why do you use nat exemption in the DMZ interface. It must be fine with static only.


Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers