01-10-2011 08:11 AM - edited 03-11-2019 12:33 PM
Ok, so I have a question and no lab... I have a dmz segment on my ASA and its 10.10.25.0 for example. I have a PC that I need to advertise in to this segment and I don't want to advertise it as itself, and I don't want to advertise it as something on the .25 either so let's say I use 10.11.11.30. So my question is... if I do this and put in the appropriate ACL, would something on the DMZ be able to talk to the .11.30 I put in the dmz?
example
10.10.1.20 (workstation on the inside) advertised in to the dmz as 10.11.11.30 (static representation in the dmz)
static (inside,dmz) 10.11.11.30 10.10.1.20 netmask 255.255.255.255
thanks
rob
01-10-2011 09:22 AM
Hi Rob,
If I understand your requirements, then that config will work for you. The hosts in the DMZ will send traffic to 10.11.11.30 and the ASA will receive this, untranslate the address to 10.10.1.20, and send it on to the PC off the inside interface. As you mentioned, just make sure you have the appropriate ACLs to allow this.
Hope that helps.
-Mike
01-10-2011 09:29 AM
Thanks Mike,
I couldn't see why it wouldn't but I have seen that not pan out in the past when I would assume things so I figured I would bounce it off the communitiy. I appreciate the response.
thanks
rob
01-10-2011 09:33 AM
Hi Rob,
No problem. If it doesn't work, go ahead and post sanitized copies of your NAT and ACL config so we can see what is wrong. Also, you can use the packet-tracer command to make sure all of the correct rules are being matched:
packet-tracer in dmz tcp
Packet captures are also useful so you can see exactly where a flow is failing. Beyond that, we would need to make sure the DMZ hosts are getting the correct MAC address (i.e. make sure that the ASA has proxy ARP enabled).
-Mike
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide