ASA 5505 Inside Access to DMZ Server

Unanswered Question
Sep 24th, 2007
User Badges:

Hello All!

I am looking for someone smarter than me for help. I am trying to configure, in the simplest way possible, an ASA 5505 with a server on the DMZ. The only thing unusual about our network is that most workstations do not access the internet through the ASA... they use a different router to connect to a separate DSL line.

So I set up an email server on our DMZ at It can be accessed via https, imap, etc. from the Internet, no problem, from a IP address that is not the outside interface. I tried to add access to the mail server from the inside, via an IP address that is not the inside interface. (When I tried using the inside interface for the mail server access, I lost management access to the ASA. I think this is listed as an unresolved caveat under ver. 7.2(3).)

I can ping the the mail server through the ASA, and get a response from I just can't get https, ftp, etc... if the server tries to respond, there is a "no translation group" error.

Here's my config:

name Mailbert ;real mail server address

name ExternalMail

name defaultexternal

name InternalMail61

interface Vlan1

nameif inside

ip address

interface Vlan2

nameif outside

security-level 0

ip address

interface Vlan3

no forward interface Vlan1

nameif dmz

security-level 50

ip address

access-list outside_access_in extended permit tcp any host ExternalMail eq imap4 log

access-list outside_access_in extended permit tcp any host ExternalMail eq https log

global (outside) 1 interface

nat (inside) 1

nat (dmz) 1 dns

static (dmz,outside) ExternalMail Mailbert netmask

static (inside,dmz) netmask

static (dmz,inside) InternalMail61 Mailbert netmask

access-group outside_access_in in interface outside

Thanks All!


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
acomiskey Mon, 09/24/2007 - 17:26
User Badges:
  • Green, 3000 points or more

Why not just access it with it's real address, Just remove the destination nat statement.

no static (dmz,inside) InternalMail61 Mailbert netmask

andywang1 Wed, 09/26/2007 - 13:04
User Badges:

I don't understand how that would work since most workstations are not using the ASA as a default gateway. Can I add to workstations the ASA and a secondary default gateway and would that work?



acomiskey Wed, 09/26/2007 - 15:09
User Badges:
  • Green, 3000 points or more

I'm surprised you can ping but cannot ftp, http etc. Could you route to the dmz from the internet router?

ip route

andywang1 Wed, 09/26/2007 - 15:27
User Badges:

I was only able to ping after adding this:

static (inside,dmz) netmask

Note that if I try to ftp the mailserver the ASA will not complain with a "no translation group" message if I do not enable an ftp server on the mailserver. So it seems the return packet is getting lost?

I will try the iproute thing.




This Discussion