Hi,

The required configuraiton really depends on your current configuration.

If I were to presume that you have no interface ACLs configured then you will need an ACL configured on the DMZ interface since you need to allow traffic to a higher "security-level" interfaces networks.

Typically connections from DMZ to LAN are not allowed that broadly.

Since you are essentially asking to allow all traffic from DMZ to LAN and also need to allow traffic from DMZ to the external network then you could simply add

access-list DMZ-IN remark Allow all traffic from DMZ

access-list DMZ-IN permit ip any

access-group DMZ-IN in interface DMZ

- Jouni

HI Jouni,

Thanks for the reply...

i have one query i add dynamic nat from inside to dmz & i can access dmz host...should i need to add nat from dmz to inside.

in log it is getting error there is no nat translation from dmz to inside....

suhas

Hello ,

NAT work in Bidirectional mode , e.g

Suppose you are doing Source NAT form Inside to DMZ . So for the trafiic comming from DMZ to Inside it works as Destination NAT.

And if you want to do Source NAT from DMZ to Inside , then u can do this by :

Doing Destination NAT from Inside to DMZ or Source NAT from DMZ to Inside.

Hope this helps you.

Thanks

Hi vishaw,

i am getting NAT transalation error in log.min i need to add nat from DMZ to INSIDE...right...?

suhas

Hello ,

If u had done Source NAT from inside to DMZ and you want source NAT from DMZ to inside, then u have to do NAT for DMZ to inside.

Also make sure that u had open the access for DMZ to inside as told by Jouni.

Thanks

Hello try this.

object network Inside-Source

range

object network DMZ-Source

range

object network Inside-Destination

range

object network DMZ-Destination

range 

nat (inside,DMZ) source dyanmic  Inside-Source DMZ-Destination destination Inside-Destination DMZ-Source

Try this...

Thanks

Hi

What software version are you using ?

As 8.3 and above wont require NAT for this to work.

Please post the current configuration of ASA

Cheers

Naveen

HI Naveen,

i have cisco PIX

i have remove that all config which i have configur for insid to dmz and dmz to inside traffic...

-Suhas

Suhas

You need a static NAT to go from DMZ to inside. Do you want to allow just C1 or the whole subnet that C1 is on ?

If just C1 then using 192.168.5.10 as C1's IP -

static (inside,DMZ)  192.168.5.10 192.168.5.10 netmask 255.255.255.255

if you want to be able access any inside host on the 192.168.5.0/24 network -

static (inside,DMZ) 192.168.5.0 192.168.5.0 netmask 255.255.255.0

Jon

HI Jon,

it will be work bidirectional..? DMZ to INSIDE and INSIDE to DMZ....for whole network..

should i add access-list in bothe site..?

-Suhas

Suhas

Yes, static NAT works both ways.

You would need an access list on the DMZ interface to go to the inside.

Edit - as already stated your acl also needs to allow DMZ traffic to the outside.

Jon