2585, typo should be

static(dmz2,dmz3) 192.168.5.88 192.168.5.88 netmask 255.255.255. Take care

Hi sdoremus33,

Thanks for the help. I have one doubt,

The ip address I need to nat is on dmz2 192.168.8.1 255.255.255.0 network.

The actual ip of the box is 192.168.8.27

if I use your static how do bind the 192.168.8.27 to the 192.168.5.88?...I'm lost... the box ip was 192.168.5.88, but maybe I'm wrong

Thanks a lot!

So if the src=192.168.8.x where the box is .27, and the dst is 192.168.5.x. The dst device needs to see the src as 192.168.5.88. This instructs the ASA device to take the org src and nat to 192.168.5.88 from the original ip src@ 192.168.8.27 to the dst @192.168.5.x. Now the dest device will see the ip packet with a sourec @192.168.5.88. This is one of the isiosyncracies in Cisco ASA/Pix devices.HTH

Randall

Was this helpful, my thinking was to take the devive that needed to be natted which was on the .8.x subnet and present this as .5.88 on dmz3. Just curious to see if this worked out for you. Thanks and have a great day

Hi thanks for the help.

Hi Sdoremus33,

Thanks for all your help.

I tried it yesterday and no luck.

static(dmz2,dmz3) 192.168.5.88 192.168.5.88

also tried:

static(dmz2,dmz3) 192.168.8.27 192.168.8.27 didn't work.

Cl xl, clear local-h, allowed permit ip any any to test, didn't work

I even added another pc with a fresh XP install to test if it was a pc issue, couldn't get it work.

I have a big question mark on my head on why the heck id doesn't work :-).....

Did you ever figure this out? I'm hitting my head up against a similar scenario of low security-level interface to high security-level interface static NAT not working.

interface ethernet1 100full

interface ethernet2 100full

nameif ethernet1 inside security100

nameif ethernet2 mgmtdmz security90

ip address inside 192.168.17.251 255.255.254.0

ip address mgmtdmz 172.31.0.1 255.255.255.0

route outside 0.0.0.0 0.0.0.0 x.x.x.x 1

route inside 10.0.0.0 255.0.0.0 192.168.16.1 1

route inside 172.16.0.0 255.240.0.0 192.168.16.1 1

route inside 192.168.0.0 255.255.0.0 192.168.16.1 1

access-list mgmtdmz-acl-in permit ip host 172.31.0.10 any

access-list mgmtdmz-acl-in permit icmp any any

access-list inside_access_in line 1 permit ip any host 192.168.17.254

access-list inside_access_in line 2 permit icmp any any

access-group inside_access_in in interface inside

access-group mgmtdmz-acl-in in interface mgmtdmz

static (mgmtdmz,inside) 192.168.17.254 172.31.0.10 netmask 255.255.255.255 0 0

global (outside) 10 interface

nat (inside) 10 0.0.0.0 0.0.0.0 0 0

No buddy, couldn't figure it out. Had to do a cheesy workaround and move the server to another dmz.

Let me know if you figure it out!

Cheers,

Randall

EBarb,

I think the problem with this is your access-lists. The first line in each one is backwards. For example, the source in the one applied to the dmz is 172.31.0.10. From an interface perspective, that should be the destination. The inside one is only permitting icmp to go from inside to anywhere because of a similar issue.