inside to dmz

Unanswered Question
Sep 18th, 2007
User Badges:
  • Bronze, 100 points or more

hi all,


suppose i have one server (x) on the inside interface of ASA which need to access server (y) on the DMZ interface of the ASA for specific port e.g. 25 & 21


but in doing so the server (x) ip address e.g. 10.10.23.20 should be natted to (192.168.211.201) the subnet configured on the DMZ


server (x) need to access server (y) having ip address 192.168.211.200


what would be the best possible way to do so, i have tried using access-list and global but i get error message on syslog portmap translation creation failed, now i was thinking of doing it using static from (inside,dmz) using access list - PAT


any help would be great

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
JORGE RODRIGUEZ Tue, 09/18/2007 - 18:30
User Badges:
  • Green, 3000 points or more

Try this


Your static and acl should be similar to this.


static (inside,DMZ) 10.10.23.20 10.10.23.20 netmask 255.255.255.255 0 0

access-list inside_access_in permit tcp host 10.10.23.20 host 192.168.211.200 eq 21

access-list inside_access_in permit tcp host 10.10.23.20 host 192.168.211.200 eq 25

access-group inside_access_in in interface inside





zulqurnain Tue, 09/18/2007 - 21:13
User Badges:
  • Bronze, 100 points or more

hi jorgemcse,


This would leave the 10.10.23.20 without being translated, but like i said earlier i want 10.10.23.20 to be translated to 192.168.211.201 , a subnet configured on the DMZ


hope this clear out my point of question

JORGE RODRIGUEZ Wed, 09/19/2007 - 07:13
User Badges:
  • Green, 3000 points or more

Zulqurnain,


Then creating PAT for dmz interface is one way of doing it , allocate an address for it under the 192.168.201.0 subnet and create PAT, or using the dmz-interface itself as PAT device.



e.g regular pat


global (DMZ) 1 192.168.201.50


or


global (DMZ) 1 interface


zubairjalal Wed, 09/19/2007 - 07:35
User Badges:
  • Bronze, 100 points or more

What is the error exaclty that you are getting. Ideally you dont need an ACL when going from inside to dmz.


It should only have one statement


static (inside,DMZ) 192.168.211.200 10.10.23.20 netmask 255.255.255.255


You can try this and if it works then you can create an ACL on the DMZ interface for restricting the ports.


Just out of curiosity..do you have the nat-control enabled.


--Pls rate if it helps--

Actions

This Discussion