Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
362
Views
0
Helpful
1
Replies

problem nat outside to inside and DMZ to inside?

join_sn09
Level 1
Level 1

‎02-12-2012 08:54 PM - edited ‎03-11-2019 03:28 PM

Dear Expert,

now i have some issue that i use portforwarding from outside to inside and DMZ to inside.

now i have lap first from ASA e0/0 to PC1 (outside) and PC2 eth0/1 (inside) and PC3 eth0//2 (DMZ)

from inside can ping to outside but outside cannot access into inside.

this command that i used :

access-list outside_acl_in extended permit tcp any host 10.51.51.1 eq 80

static (inside,outside) tcp inter 10.10.10.1 netmask 255.255.255.255

is it correct on this command?

------------------------------------------------------------------------------------------------------------------------------------------------

any way i want to allow from DMZ to inside also but is still not work

access-list dmz_acl_in extended permit tcp any host 20.20.20.1 eq 3389

static (inside,dmz) tcp inter 10.10.10.1 netmask 255.255.255.255

this command above is not working but is use this command as bellow is working, i don't know why?

access-list dmz_acl_in extended permit tcp any host 10.10.10.1 eq 3389

static (inside,DMZ) 10.10.10.1 10.10.10.1 netmask 255.255.255.255

Could you help me on this issue?

which command that allow from outside to inside?

which command that allow from DMZ to inside?

which command that allow from ouside to DMZ?

Note: i use IOS ver:  ASA Version 8.0(4)

Best Regards,

Join

Labels:
0 Helpful
1 Reply 1

Julio Carvajal
VIP Alumni
VIP Alumni

‎02-13-2012 04:56 PM

Hello Join,

I do not fully understand your english but here we go!

access-list outside_acl_in extended permit tcp any host 10.51.51.1 eq 80

static (inside,outside) tcp inter 10.10.10.1 netmask 255.255.255.255

No, it is not correct. If you want to allow incoming traffic on port 20 to the outside interface to  be redirected to 10.10.10.1

it should be:

static (inside,outside) tcp inter 80 10.10.10.1 80  netmask 255.255.255.255

access-list outside_acl_in extended permit tcp any host outside_interface_ip eq 80

Same thing with the other requests,

Do rate all the helpful posts!!!

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card