inside to dmz

Unanswered Question
Sep 18th, 2007

hi all,

suppose i have one server (x) on the inside interface of ASA which need to access server (y) on the DMZ interface of the ASA for specific port e.g. 25 & 21

but in doing so the server (x) ip address e.g. should be natted to ( the subnet configured on the DMZ

server (x) need to access server (y) having ip address

what would be the best possible way to do so, i have tried using access-list and global but i get error message on syslog portmap translation creation failed, now i was thinking of doing it using static from (inside,dmz) using access list - PAT

any help would be great

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
JORGE RODRIGUEZ Tue, 09/18/2007 - 18:30

Try this

Your static and acl should be similar to this.

static (inside,DMZ) netmask 0 0

access-list inside_access_in permit tcp host host eq 21

access-list inside_access_in permit tcp host host eq 25

access-group inside_access_in in interface inside

zulqurnain Tue, 09/18/2007 - 21:13

hi jorgemcse,

This would leave the without being translated, but like i said earlier i want to be translated to , a subnet configured on the DMZ

hope this clear out my point of question

JORGE RODRIGUEZ Wed, 09/19/2007 - 07:13


Then creating PAT for dmz interface is one way of doing it , allocate an address for it under the subnet and create PAT, or using the dmz-interface itself as PAT device.

e.g regular pat

global (DMZ) 1


global (DMZ) 1 interface

zubairjalal Wed, 09/19/2007 - 07:35

What is the error exaclty that you are getting. Ideally you dont need an ACL when going from inside to dmz.

It should only have one statement

static (inside,DMZ) netmask

You can try this and if it works then you can create an ACL on the DMZ interface for restricting the ports.

Just out of you have the nat-control enabled.

--Pls rate if it helps--


This Discussion