Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2012
Views
0
Helpful
9
Replies

NAT between inside and dmz

Zikosenpay
Level 1
Level 1

‎02-16-2012 06:43 AM - edited ‎03-07-2019 04:59 AM

Hi

we have core switch in our network connected to ASA

on switch ve have vlans:

vlan 20 inside   ip address 172.20.20.0

vlan 30 dmz     ip address 172.30.30.0

interface vlan 20

ip address 172.20.20.254

interface vlan 30

ip address 172.30.30.254

ip route 0.0.0.0 0.0.0.0 172.20.20.1

on ASA:

int g0/0

nameif inside

ip add 172.20.20.1

int g0/1

nameif dmz

ip add 172.30.30.1

we want traffic between inside and dmz pass through ASA

on servers in dmz gateway is 172.30.30.1 the ip address of ASA

on inside vlan pc's gateway is 172.20.20.254 the ip address of core

we did

static ( inside,dmz) 172.20.20.0 172.20.20.0 netmask 255.255.255.0

the we tried

static (dmz,inside) 172.20.20.0 172.30.30.0 netmask 255.255.255.0

but it didn't help

please advice how to configure,and pass traffic between inside and dmz through ASA?

Labels:
0 Helpful
9 Replies 9

JohnTylerPearce
Level 7
Level 7

‎02-16-2012 07:10 AM

Is there a specific reason that you want traffic to be NAT'd from the inside to the DMZ? Is this because of security reasons ro do you have nat control enabled?

0 Helpful

rizwanr74
Level 7
Level 7

‎02-16-2012 07:11 AM

Try this: static (inside,dmz) 172.20.0.0 172.20.0.0 netmask 255.255.0.0

thanks

Rizwan Rafeek

0 Helpful

Zikosenpay
Level 1
Level 1
In response to rizwanr74

‎02-16-2012 09:21 PM

Hi,

John TylerPearce:  we do this due to security reasons. we are doing NAT for internet also, its working. do we need to enable NAT control?

rizwanr74: I'll try

0 Helpful

ebarticel
Level 4
Level 4

‎02-16-2012 09:26 PM

You have some typos in your mappings

static ( inside,dmz) 172.20.20.0 172.20.20.0 netmask 255.255.255.0

should be

static ( inside,dmz) 172.20.20.0 172.30.30.0 netmask 255.255.255.0

0 Helpful

Zikosenpay
Level 1
Level 1
In response to ebarticel

‎02-16-2012 10:28 PM

Eugen Barticel: but in books they write that it should be same subnet, i mean the inside subnet

0 Helpful

ebarticel
Level 4
Level 4
In response to Zikosenpay

‎02-16-2012 10:38 PM

Sorry my mistake...

Check an example of configuration here, they don't use the same network for both inside and dmz

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/nat_static.html

Hope this helps

Eugen

0 Helpful

Zikosenpay
Level 1
Level 1
In response to ebarticel

‎02-17-2012 04:07 AM

Eugen Thanks,

but in this example there are overlapping network on inside and dmz, not our situation

0 Helpful

ebarticel
Level 4
Level 4
In response to Zikosenpay

‎02-17-2012 04:27 AM 

This statement is above the topology diagram and is not related 
to overlapping described after the topology

"The following command statically maps an entire subnet: 

 hostname(config)# static (inside,dmz) 10.1.1.0 10.1.2.0 netmask 255.255.255.0 "

I had a look at that statement when  I had posted that you may have a typo in the configuration. I hope that you will find the solution

All the best

Eugen

0 Helpful

Zikosenpay
Level 1
Level 1
In response to ebarticel

‎02-17-2012 06:38 AM

Hi,

i find the problem. i have deleted the interface vlan 30 on core switch, after that, static ( inside,dmz) 172.20.20.0 172.20.20.0 netmask 255.255.255.0 is worked

thank everyone for help

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card