Hello,

I did a mistake in writing it is  static (inside,DMZ) 10.10.3.0 10.10.3.0 netmask 255.255.255.192.

static (DMZ,outside) 82.178.25.133 10.10.1.10 netmask 255.255.255.255 dns   <-------------  It did'nt worked by this statement

static (DMZ,Inside) 82.178.25.133 10.10.1.10 netmask 255.255.255.255            <-------------  It  worked by this statement

Now the issue is users from this subnet 10.10.3.0 try to access DMZ Web server through remote desktop they are not able to access they get portmap translation creation failed for tcp src inside:10.10.3.12/58945 dst DMZ:10.10.1.10/80 though i have a static statement,

One very interesting when i remove the destination NAT command static (DMZ,Inside) 82.178.25.133 10.10.1.10 netmask 255.255.255.255 ,users are able to access remote desktop to Web server.

Thanks

Here is my thought. Since I don't have your full NAT configuration here, it might not be accurate.

1. regarding "static (DMZ,outside) 82.178.25.133 10.10.1.10 netmask 255.255.255.255 dns" not working

- did you try "clear xlate" after you made the above change?

- If you could post your full NAT configuration, I would like to see if there is any NAT configuration that can bypass the this static NAT rule.

2. static (DMZ,Inside) 82.178.25.133 10.10.1.10 netmask 255.255.255.255 works but break remote desktop access.

- Do your remote desktop session use 82.178.25.133 to access webserver? if not, can you try that?

- You might add the following nat bypass to see if it works.

access-list nonat-to-dmz permit ip 10.10.3.0 255.255.255.192 host 10.10.1.10

nat (inside) 0 access-list nonat-to-dmz

Hello Yudong,

There is no BIg static list for Nat statements only these 3 of them,

. regarding "static (DMZ,outside) 82.178.25.133 10.10.1.10 netmask 255.255.255.255 dns" not working

- did you try "clear xlate" after you made the above change?

YES I DID

- If you could post your full NAT configuration, I would like to see if  there is any NAT configuration that can bypass the this static NAT rule.

HOW ???? pls suggest

- Do your remote desktop session use 82.178.25.133 to access webserver? if not, can you try that?

I did'nt tried,I will let u know tomorrow.

- You might add the following nat bypass to see if it works.

access-list nonat-to-dmz permit ip 10.10.3.0 255.255.255.192 host 10.10.1.10

nat (inside) 0 access-list nonat-to-dmz

I thought about this but i want it make it work without nat0.

static (DMZ,Inside) 82.178.25.133 10.10.1.10 netmask 255.255.255.255

Can u explain me this static natting statement,????

- If you could post your full NAT configuration, I would like to see  if  there is any NAT configuration that can bypass the this static NAT  rule.

HOW ???? pls suggest

>>> I just wonder if you have any policy static NAT or nat 0 configuration which might bypass this dns static nat entry. I am just curious about why it won't work.

static (DMZ,Inside) 82.178.25.133 10.10.1.10 netmask 255.255.255.255

Can u explain me this static natting statement,????

>>> the above nat will tranlsate the destination IP from 82.178.25.133 to 10.10.1.10 when user in inside network try to reach 82.178.25.133. In the direction from DMZ to inside, it will NAT source IP 10.10.1.10 to 82.178.25.133 as well.

hello,

I just wonder if you have any policy static NAT or nat 0 configuration  which might bypass this dns static nat entry. I am just curious about  why it won't work.

Believe me there is no such policy statement only just simple statement going from inside to dmz i.e  identity NAT 10.10.3.0 10.10.3.0 netmask 255.255.255.255

and DMZ to outside  static statement for Web server.

• static (Inside,outside) 82.178.25.133 10.10.1.10 netmask 255.255.255.255

The above statement translates the host from inside 10.10.1.10 to 82.178.25.133 when it goes to internet when the whole world knows.

And the same when any request comes to 82.178.25.133 from internet it will hit firewall and firewall will translate to this private 10.10.1.10 IP.which firewall knows according to route specified in the route table.

But in the below secnario

static (DMZ,Inside) 82.178.25.133 10.10.1.10 netmask 255.255.255.255

when the host 10.10.1.10 want to go on inside it will translates to 82.178.25.133 and it will route according to the destination in the routing table,  But this IP (82.178.25.133) is not know by the inside host so when the inside host  replies back it will reply according to its default gateway that must be firewall if it is a different deafult gateway than communication will not be established.

And In the same way when the users come from inside with IP 10.10.3.12 to reach 10.10.1.10, firewall will translates to 82.178.25.133 and it will send to DMZ interface.

Correct me if i m wrong ???

when the host 10.10.1.10 want to go on inside it will translates to  82.178.25.133 and it will route according to the destination in the  routing table,  But this IP (82.178.25.133) is not know by the inside  host so when the inside host  replies back it will reply according to  its default gateway that must be firewall if it is a different deafult gateway than communication will not be established.

<<< this is correct. Inside host must send the reply to 82.178.25.133 to the inside interface of this ASA.

And  In the same way when the users come from inside with IP 10.10.3.12 to  reach 10.10.1.10, firewall will translates to 82.178.25.133 and it will  send to DMZ interface.

<<<< No, if the inside host use 10.10.1.10 as destination IP, it won't be translated by "static (DMZ,Inside) 82.178.25.133 10.10.1.10 netmask 255.255.255.255", that's why I asked what destination IP you were using and you could try to use 82.178.25.133 if not using it.

If the inside host use 82.178.25.133 as the destination, it will be translated to 10.10.1.10 and sent to DMZ.