Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
417
Views
0
Helpful
4
Replies

inside to dmz

zulqurnain
Level 3
Level 3

‎09-18-2007 09:51 AM - edited ‎03-11-2019 04:12 AM

hi all,

suppose i have one server (x) on the inside interface of ASA which need to access server (y) on the DMZ interface of the ASA for specific port e.g. 25 & 21

but in doing so the server (x) ip address e.g. 10.10.23.20 should be natted to (192.168.211.201) the subnet configured on the DMZ

server (x) need to access server (y) having ip address 192.168.211.200

what would be the best possible way to do so, i have tried using access-list and global but i get error message on syslog portmap translation creation failed, now i was thinking of doing it using static from (inside,dmz) using access list - PAT

any help would be great

Labels:
0 Helpful
4 Replies 4

JORGE RODRIGUEZ
Level 10
Level 10

‎09-18-2007 06:30 PM

Try this

Your static and acl should be similar to this.

static (inside,DMZ) 10.10.23.20 10.10.23.20 netmask 255.255.255.255 0 0

access-list inside_access_in permit tcp host 10.10.23.20 host 192.168.211.200 eq 21

access-list inside_access_in permit tcp host 10.10.23.20 host 192.168.211.200 eq 25

access-group inside_access_in in interface inside

Jorge Rodriguez
0 Helpful

zulqurnain
Level 3
Level 3
In response to JORGE RODRIGUEZ

‎09-18-2007 09:13 PM

hi jorgemcse,

This would leave the 10.10.23.20 without being translated, but like i said earlier i want 10.10.23.20 to be translated to 192.168.211.201 , a subnet configured on the DMZ

hope this clear out my point of question

0 Helpful

JORGE RODRIGUEZ
Level 10
Level 10
In response to zulqurnain

‎09-19-2007 07:13 AM

Zulqurnain,

Then creating PAT for dmz interface is one way of doing it , allocate an address for it under the 192.168.201.0 subnet and create PAT, or using the dmz-interface itself as PAT device.

e.g regular pat

global (DMZ) 1 192.168.201.50

or

global (DMZ) 1 interface

Jorge Rodriguez
0 Helpful

zubairjalal
Level 1
Level 1

‎09-19-2007 07:35 AM

What is the error exaclty that you are getting. Ideally you dont need an ACL when going from inside to dmz.

It should only have one statement

static (inside,DMZ) 192.168.211.200 10.10.23.20 netmask 255.255.255.255

You can try this and if it works then you can create an ACL on the DMZ interface for restricting the ports.

Just out of curiosity..do you have the nat-control enabled.

--Pls rate if it helps--

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card