Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
562
Views
0
Helpful
2
Replies

ASA static NAT problem

shahid_duet
Level 1
Level 1

‎03-23-2012 10:50 PM - edited ‎03-11-2019 03:46 PM

Dear boss

I m using ASA5510 for DMZ. Please see my attached diagram and configuration.

interface Ethernet0/0

nameif local

security-level 100

ip address 192.168.0.243 255.255.255.0

!

interface Ethernet0/1

nameif outside

security-level 0

ip address 10.0.0.2 255.255.255.252

!

interface Ethernet0/2

nameif DMZ

security-level 50

ip address 172.29.1.1 255.255.255.0

access-list DMZTOLocal extended permit ip host 192.168.0.241 192.168.0.0 255.255.0.0

static (DMZ,local) 192.168.0.241 172.29.1.5 netmask 255.255.255.255

access-group DMZTOLocal out interface local

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect icmp

My out side NAT is ok. I get local  to DMZ  ie 192.168.0.0/16 to 192.168.0.241(172.29.1.5),  but not getting 172.29.1.5 to 192.168.0.0/16.

What can i do if i want to get DMZ to Local ???

Please suggest me.

Thanking You

shahid

Labels:
Preview file
51 KB
0 Helpful
2 Replies 2

llamaw0rksE
Level 1
Level 1

‎03-25-2012 04:29 PM

I have some issues with your design.

Firstly I am not used to a inside interface ( a lan), with IP address ending in   .243, I am used to .1

My knowledge is limited so it might be perfectly legitimate.

Secondly with a basic license at least on the ASA5505, the DMZ could only be used for DMZ or internet bound traffic.

The internal lan could reach the DMZ or the internet.

Make sure your license permits a fully functioning DMZ.

Thirdly, I really dont care about your config at this point.  I would like to know in words, what your requirements are first.  Then we can look at implementation.  What is it that you need in your work environement in concepts.

0 Helpful

Dennis Mink
VIP Alumni
VIP Alumni

‎03-25-2012 06:00 PM

your:

access-list DMZTOLocal extended permit ip host 192.168.0.241 192.168.0.0 255.255.0.0

will still not allow access from DMZ--->Local

access-list DMZTOLocal extended permit ip host 172.29.1.5 192.168.0.0 255.255.0.0

and apply this to your  DMZ interface in  access-group DMZTOLOCAL in interface DMZ

also, fire up your packet tracer in ASDM and see what drops your traffic,

Regards

Dennis

Please remember to rate useful posts, by clicking on the stars below.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card