09-18-2007 09:51 AM - edited 03-11-2019 04:12 AM
hi all,
suppose i have one server (x) on the inside interface of ASA which need to access server (y) on the DMZ interface of the ASA for specific port e.g. 25 & 21
but in doing so the server (x) ip address e.g. 10.10.23.20 should be natted to (192.168.211.201) the subnet configured on the DMZ
server (x) need to access server (y) having ip address 192.168.211.200
what would be the best possible way to do so, i have tried using access-list and global but i get error message on syslog portmap translation creation failed, now i was thinking of doing it using static from (inside,dmz) using access list - PAT
any help would be great
09-18-2007 06:30 PM
Try this
Your static and acl should be similar to this.
static (inside,DMZ) 10.10.23.20 10.10.23.20 netmask 255.255.255.255 0 0
access-list inside_access_in permit tcp host 10.10.23.20 host 192.168.211.200 eq 21
access-list inside_access_in permit tcp host 10.10.23.20 host 192.168.211.200 eq 25
access-group inside_access_in in interface inside
09-18-2007 09:13 PM
hi jorgemcse,
This would leave the 10.10.23.20 without being translated, but like i said earlier i want 10.10.23.20 to be translated to 192.168.211.201 , a subnet configured on the DMZ
hope this clear out my point of question
09-19-2007 07:13 AM
Zulqurnain,
Then creating PAT for dmz interface is one way of doing it , allocate an address for it under the 192.168.201.0 subnet and create PAT, or using the dmz-interface itself as PAT device.
e.g regular pat
global (DMZ) 1 192.168.201.50
or
global (DMZ) 1 interface
09-19-2007 07:35 AM
What is the error exaclty that you are getting. Ideally you dont need an ACL when going from inside to dmz.
It should only have one statement
static (inside,DMZ) 192.168.211.200 10.10.23.20 netmask 255.255.255.255
You can try this and if it works then you can create an ACL on the DMZ interface for restricting the ports.
Just out of curiosity..do you have the nat-control enabled.
--Pls rate if it helps--
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide