06-24-2017 07:37 PM - edited 03-12-2019 02:37 AM
Hi All,
I am running into a very wierd behavior.
I have 2 internal networks (inside, dmz) that I used static nat in order to get data to flow between the two networks.
but whenever the static nat is applied, the hosts on the dmz side seems not able to acquire an ip address from the asa5505
the ones that already have an ip will work fine.
this issue does not affect the hosts in the inside network.
no i am not anywhere near the host limit of asa5505
the minute i took out the static mapping the dmz will resume to get the ip address.
here is a sudo code of the configuration.
thanks you in advance.
basemodel ASA5505
show local-host is less than 6 hosts
using 8.2.5(59) //sorry i am not a big fan of 8.3+ that deprecated the nat and global command.
I have inside, dmz, outside 3 vlan being used.
inside ip add 10.0.INS.1
/24
security-level 100
e0/1-e0/3 switchport access this vlan
dmz ip add 10.0.DMZ.1
/24
security-level 50
no forward int vlan 1
e0/5-6 switchport access this vlan
e5 is attached to a wifi ap that basically just airborns the network.
e6 was used to test hardwire connection without wifi. same results
outside ip add 4.4.OUT.1
public ip static ip address
e0/0 switchport access this vlan
PAT out to the internet
nat (inside) 10 10.0.INS.0 /24
nat (dmz) 10 10.0.DMZ.0 /24
global (outside) 10 interface
couple of ports forwarded to an DMZ host
static (dmz,outside) tcp interface 8000 10.0.DMZ.100 8000 netmask /32
access-list NAME extended permit tcp any interface outside eq 8000
access-group NAME in interface outside
DHCP the network
dhcpd address 10.0.INS.100-10.0.INS.130 inside
dhcpd dns 4.2.2.2 8.8.8.8 interface inside
dhcpd enable inside
dhcpd address 10.0.DMZ.100-10.0.DMZ.130 dmz
dhcpd dns 4.2.2.2 8.8.8.8 interface dmz
dhcpd enable dmz
I wanted the inside to have one way traffic to the dmz hosts, but dmz hosts can not initiate traffic to inside.
static (inside,dmz) 10.0.DMZ.0 10.0.INS.0 netmask /24
I
after the above statement was put in the DHCP in the DMZ will just cease to function.
the minute I take it away thing will work again.
Can anyone let me know why?
Thanks in advance.
06-27-2017 06:47 AM
You need to put another nat statement from dmz to inside.
static (dmz,inside) 10.0.INS.0 10.0.DMZ.0 netmask /24
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide