Showing results for 
Search instead for 
Did you mean: 

New situation, but how to address? (outside, dmz, inside)


Hi all,

I'm looking for a 'new' solution wich i can't figure out...


First of all, I use a Cisco Asa 5505 with ASDM 6.1.

And we own from our ISP a public router IP with 5 useable public sub-IPs.

(IPs are just made up...)

Asa Router : z.z.80.21

ISP Gateway: z.z.80.20

Useable IPs: z.z.81.41 - z.z.81.45

Old Situation:

The Old config was very basic but effective.

We had setup 3 interfaces: Outside (z.z.80.21), DMZ (x.x.100.x) and Inside (x.x.1.x).

And I used 'Nat Policy rules' in the DMZ from server to Outside at an useable IP (z.z.81.41).

This way we could use from Inside the Public IPs and was the NAT working correct.

But also the Internet could rage our servers trough the NAT.

(We have more Servers then Public IPs AND we need NAT because not all servers publish

there service on the same port we want to publish on the public internet)

New Situation:

Now we have an new server who needs it's own dedicated public IP without a NAT!

(It's a VOIP Asterisk Server)

And I'm also advised that this server needs this dedicated public IP (z.z.81.45)

configured locally in it's network configuration!

(so not like the other servers wich have an IP in the x.x.100.x range)

Did try:

I did try a lot of things. And the best way I did come up with is the following.

First I made an extra interface called DMZAsterisk with the public subnet we own (z.z.81.z).

Connected the A-Server and added a Static Nat Rule from the DMZAsterisk to Outside

with both the z.z.81.45 IP.

This way almost everything works like before, except we can't access our DMZ severs

anymore from the Inside with there public IP adresses. And DNS isn't a solution because

we also need the NAT (port redirection) to work!

Also I get why it's not working. Because Inside traffic is routed to the DMZAstrisk interface.

And the servers arn't there :-)

Thx in advanced!!!

9 Replies 9

ajay chauhan
Rising star
Rising star

can you post full configuration ? what i understood from what you have mentioned -

you need a new server on public IP and range was already there ,if you create any new interface and moved that Public IP range on that . Then you can not do NAT with DMZ. If you need need access for DMZ then port forwarding can solve the issue.