Showing results for 
Search instead for 
Did you mean: 

New situation, but how to address? (outside, dmz, inside)


Hi all,

I'm looking for a 'new' solution wich i can't figure out...


First of all, I use a Cisco Asa 5505 with ASDM 6.1.

And we own from our ISP a public router IP with 5 useable public sub-IPs.

(IPs are just made up...)

Asa Router : z.z.80.21

ISP Gateway: z.z.80.20

Useable IPs: z.z.81.41 - z.z.81.45

Old Situation:

The Old config was very basic but effective.

We had setup 3 interfaces: Outside (z.z.80.21), DMZ (x.x.100.x) and Inside (x.x.1.x).

And I used 'Nat Policy rules' in the DMZ from server to Outside at an useable IP (z.z.81.41).

This way we could use from Inside the Public IPs and was the NAT working correct.

But also the Internet could rage our servers trough the NAT.

(We have more Servers then Public IPs AND we need NAT because not all servers publish

there service on the same port we want to publish on the public internet)

New Situation:

Now we have an new server who needs it's own dedicated public IP without a NAT!

(It's a VOIP Asterisk Server)

And I'm also advised that this server needs this dedicated public IP (z.z.81.45)

configured locally in it's network configuration!

(so not like the other servers wich have an IP in the x.x.100.x range)

Did try:

I did try a lot of things. And the best way I did come up with is the following.

First I made an extra interface called DMZAsterisk with the public subnet we own (z.z.81.z).

Connected the A-Server and added a Static Nat Rule from the DMZAsterisk to Outside

with both the z.z.81.45 IP.

This way almost everything works like before, except we can't access our DMZ severs

anymore from the Inside with there public IP adresses. And DNS isn't a solution because

we also need the NAT (port redirection) to work!

Also I get why it's not working. Because Inside traffic is routed to the DMZAstrisk interface.

And the servers arn't there :-)

Thx in advanced!!!

9 Replies 9

ajay chauhan
Rising star
Rising star

can you post full configuration ? what i understood from what you have mentioned -

you need a new server on public IP and range was already there ,if you create any new interface and moved that Public IP range on that . Then you can not do NAT with DMZ. If you need need access for DMZ then port forwarding can solve the issue.



I can't post the config at the moment, because it isn't
till tomorrow (+1 GMT) when I'm back at the office...

BUT, I understand that I can't NAT anymore for that one
public IP address I use for Asterisk (z.z.81.45). But I still

can NAT the other four IP addresses...

With the new configuration (now in production) everything
also works fine!

Except from the Inside to the DMZ trough the NAT by there
four public IPs. (z.z.81.41; z.z.81.42; z.z.81.43; z.z.81.44)

And that's the big problem for us....

NAT works between two interfaces. If you have configured full range on new interface you can not NAT with DMZ servers. However you can still access DMZ servers using real ip address of them from inside zone.



I know... I figured that out :-)

And using the real ip addresses isn't an option in our situation...

Is there a way to trick the ASA?

So traffic from the inside-interface to the four public IPs go the same

route as the inbound internet traffic?

Or can I just isolate that one public IP (z.z.81.45) for that one server
on that DMZAsterisk-interface. At the moment this interface is configured
with the settings of our public subnet... That's way the ASA thinks requests
for the other four public IP has to be dillivered at the DMZAstrisk interface.

And when I disable that interface, everything is just fine again...

(our old configuration)

Answer would be NO


I can't have a NO....

I have to come up with a solution....

Even if I need an extra router or hardware....

Do you maybe know why I can't give my Asterisk Server a

private IP address and "not NAT" this totally 1:1 with one public IP address?

Then I can add this server just to our DMZ...

You can also get one more Public subnet from ISP.

Yeah I know...
That would even be nice for our other servers...

No nat anymore.

But that's also not possible (and I really don't know why!)


Anyone else have some ideas??

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: