Solved: ASA/FWSM: static(dmz,dmz)

SSS999888 · ‎12-22-2010

Hi ,

Is the following a workable config on FWSM or on ASA?

static (DMZ,DMZ) 10.10.10.111 192.168.26.111 netmask 255.255.255.255

Thank you

Sri

Yudong Wu · ‎12-22-2010

static NAT should be

static (dmz,dmz) 192.168.26.111 10.10.10.111

you also need "same-security-traffic permit intra-interface"

On server 10.10.10.111, you need to make sure the return traffic will be sent to ASA instead of Rou-1.

Yudong Wu · ‎12-22-2010

static NAT should be

static (dmz,dmz) 192.168.26.111 10.10.10.111

you also need "same-security-traffic permit intra-interface"

On server 10.10.10.111, you need to make sure the return traffic will be sent to ASA instead of Rou-1.

SSS999888 · ‎12-22-2010

Thank you Youdong,

I also need to initiate traffic form BOTH of the servers.

Would this need any additional considerations? Both directions have

1/ smae static map

and also

2/ differeing static IP address maps

Sri

Yudong Wu · ‎12-22-2010

But per my testing, it works in both directions. Both sides can initiate the traffic since you are using static NAT.

Beside what I mentioned in the last post, you need make sure you have route added in your ASA correctly.

For example, you need add a route on ASA to route traffic destinate to 192.168.26.111 to 10.10.10.111.

You might need to add "permit ip host 10.10.10.111 host 172.24.24.111" on the ACL applied to dmz interface as well.