02-16-2012 06:43 AM - edited 03-07-2019 04:59 AM
Hi
we have core switch in our network connected to ASA
on switch ve have vlans:
vlan 20 inside ip address 172.20.20.0
vlan 30 dmz ip address 172.30.30.0
interface vlan 20
ip address 172.20.20.254
interface vlan 30
ip address 172.30.30.254
ip route 0.0.0.0 0.0.0.0 172.20.20.1
on ASA:
int g0/0
nameif inside
ip add 172.20.20.1
int g0/1
nameif dmz
ip add 172.30.30.1
we want traffic between inside and dmz pass through ASA
on servers in dmz gateway is 172.30.30.1 the ip address of ASA
on inside vlan pc's gateway is 172.20.20.254 the ip address of core
we did
static ( inside,dmz) 172.20.20.0 172.20.20.0 netmask 255.255.255.0
the we tried
static (dmz,inside) 172.20.20.0 172.30.30.0 netmask 255.255.255.0
but it didn't help
please advice how to configure,and pass traffic between inside and dmz through ASA?
02-16-2012 07:10 AM
Is there a specific reason that you want traffic to be NAT'd from the inside to the DMZ? Is this because of security reasons ro do you have nat control enabled?
02-16-2012 07:11 AM
Try this: static (inside,dmz) 172.20.0.0 172.20.0.0 netmask 255.255.0.0
thanks
Rizwan Rafeek
02-16-2012 09:21 PM
Hi,
John TylerPearce: we do this due to security reasons. we are doing NAT for internet also, its working. do we need to enable NAT control?
rizwanr74: I'll try
02-16-2012 09:26 PM
You have some typos in your mappings
static ( inside,dmz) 172.20.20.0 172.20.20.0 netmask 255.255.255.0
should be
static ( inside,dmz) 172.20.20.0 172.30.30.0 netmask 255.255.255.0
02-16-2012 10:28 PM
Eugen Barticel: but in books they write that it should be same subnet, i mean the inside subnet
02-16-2012 10:38 PM
Sorry my mistake...
Check an example of configuration here, they don't use the same network for both inside and dmz
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/nat_static.html
Hope this helps
Eugen
02-17-2012 04:07 AM
Eugen Thanks,
but in this example there are overlapping network on inside and dmz, not our situation
02-17-2012 04:27 AM
This statement is above the topology diagram and is not related
to overlapping described after the topology
"The following command statically maps an entire subnet:
hostname(config)# static (inside,dmz) 10.1.1.0 10.1.2.0 netmask 255.255.255.0 "
I had a look at that statement when I had posted that you may have a typo in the configuration. I hope that you will find the solution
All the best
Eugen
02-17-2012 06:38 AM
Hi,
i find the problem. i have deleted the interface vlan 30 on core switch, after that, static ( inside,dmz) 172.20.20.0 172.20.20.0 netmask 255.255.255.0 is worked
thank everyone for help
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide