Its absolutely right, no issues with it.

Varun

Dear Sir,

  one thing is that....

  can I use both NAT translation in dmz ?

1. nat (dmz) 1 0.0.0.0 0.0.0.0

2. static (dmz,outside) StaticSRV1 SRV1 netmask 255.255.255.255

    static (dmz,outside) StaticSRV2 SRV2 netmask 255.255.255.255

thanks

Debabrata Das

Yes you can use it:

The SRV1 and SRV2 would take the public ip's StaticSRV1 and StaticSRV2 respectively to go to the internet but vapart from these two host all the other hosts in the dmz woudl take th outside interface public ip to go to the internet.

Hope that helps,

Thanks,

Varun

Yes.. t thing u r right...

** when I have using this > nat(dmz) 1 0.0.0.0 0.0.0.0  internet is running for all users in dmz zone. But i cant access or    

   ping  the dmz servers from outside( also it is not possible without static nat)  

**when I have using this > static (dmz,outside) StaticSRV1 SRV1 netmask 255.255.255.255 

                                     static (dmz,outside) StaticSRV2 SRV2 netmask 255.255.255.255

        internet is not coming also i cant access the servers from outside..

**when i have using both NAT policy internet is coming (including servers), but i can't access the servers from outside.

for your information >>> the customer is now using Fortinet 110C (i have also configured this) and everything is working fine...

Dear Sir,

As per discussion with you I have attached the conf.txt file.

Thanking You

Debabrata Das

Hand Phone: 09836946135

for G.S.Computel Pvt. Ltd.

An ISO 9001:2000 Certified Organization

1, Crooked Lane, 1st floor

Kolkata - 700069, WB, India

Ph: +91 33 22428245 / 22428307 / 30222070 / 32928845

email : debu@gscomputel.com

debabrata.netinfo@gmail.com

Website: <> www.gscomputel.com

Did you turn on nat-control for any particular reason? You may want to turn it off, which is the default. According to Cisco you have to remove all nat statements before turning it off, then reconfigure them. More about it here:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008046f31a.shtml

I have try this....

  #wr erase

  #reload

now asa is factory-default.........

fresh and new configuration has been done (also i have check nat-control is off).

but after re-configure the asa problem is not solved....

then i have configure... nat-control.

but nothing happen......

problems is staying ....

Thanks

Debabrata

You mentioned earlier that the customer is using a Fortinet without issues. Are you using the ASA to replace it? If so, you probably need to clear the ARP cache on your upstream router when you put the ASA in its place, assuming you are using the same public IP addresses for the servers.

Hello Debudas,

As Varun suggested please do the captures, this is the only way we are going to get the solution to this issue, the configuration is fine, you have what you need to be able to go out from the internet and then come in to those Servers located on the DMZ,

Lets do the following captures thinking that you are comming from the ip address 165.25.25.25 ( Computer ip address where you are performing the connection)  and you want to get into  StaticSRV1 on port 80.

The first one  on the DMZ interface

access-list capdmz permit ip host 165.25.25.25 host 172.16.49.14

access-list capdmz permit ip host 172.16.49.14  eq 80 165.25.25.25

capture capdmz access-list capdmz interface DMZ

The second one on the Outside interface

access-list capout permit ip host 165.25.25.25 host 115.119.126.19 eq 80

access-list capout permit ip host 115.119.126.19 eq 80 host 165.25.25.25

capture capout access-list capout interface outside

And finally a capture to check the drops on the ASA

capture drop type asp-drop all

You will need to provide the outputs of:

Sh capture capin

Sh capture capout

Sh capture drop | include 115.119.126.19

Sh capture drop | include 172.16.49.14

Sh capture drop | include 165.25.25.25

Lets us know so we can help you.....

Regards,

Julio,

Sorry Sir.. command is not supported here..

Thanks

Debabarta