inside to dmz

Unanswered Question
Sep 18th, 2007

hi all,

suppose i have one server (x) on the inside interface of ASA which need to access server (y) on the DMZ interface of the ASA for specific port e.g. 25 & 21

but in doing so the server (x) ip address e.g. 10.10.23.20 should be natted to (192.168.211.201) the subnet configured on the DMZ

server (x) need to access server (y) having ip address 192.168.211.200

what would be the best possible way to do so, i have tried using access-list and global but i get error message on syslog portmap translation creation failed, now i was thinking of doing it using static from (inside,dmz) using access list - PAT

any help would be great

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
JORGE RODRIGUEZ Tue, 09/18/2007 - 18:30

Try this

Your static and acl should be similar to this.

static (inside,DMZ) 10.10.23.20 10.10.23.20 netmask 255.255.255.255 0 0

access-list inside_access_in permit tcp host 10.10.23.20 host 192.168.211.200 eq 21

access-list inside_access_in permit tcp host 10.10.23.20 host 192.168.211.200 eq 25

access-group inside_access_in in interface inside

zulqurnain Tue, 09/18/2007 - 21:13

hi jorgemcse,

This would leave the 10.10.23.20 without being translated, but like i said earlier i want 10.10.23.20 to be translated to 192.168.211.201 , a subnet configured on the DMZ

hope this clear out my point of question

JORGE RODRIGUEZ Wed, 09/19/2007 - 07:13

Zulqurnain,

Then creating PAT for dmz interface is one way of doing it , allocate an address for it under the 192.168.201.0 subnet and create PAT, or using the dmz-interface itself as PAT device.

e.g regular pat

global (DMZ) 1 192.168.201.50

or

global (DMZ) 1 interface

zubairjalal Wed, 09/19/2007 - 07:35

What is the error exaclty that you are getting. Ideally you dont need an ACL when going from inside to dmz.

It should only have one statement

static (inside,DMZ) 192.168.211.200 10.10.23.20 netmask 255.255.255.255

You can try this and if it works then you can create an ACL on the DMZ interface for restricting the ports.

Just out of curiosity..do you have the nat-control enabled.

--Pls rate if it helps--

Actions

This Discussion