11-22-2007 07:51 PM - edited 03-11-2019 04:34 AM
Hi all, I need a 2nd opinion here. I tried to configure my ASA5505 to allow users from the âinside interfaceâ to access a server in the DMZ (see attached drawing). I did this my using a static command:
Static (dmz, inside) mapped_internal_ip_address real_ip_dmz_ip_address netmask 255.255.255.255.
This is also documented in CISCO document ID 64758 - pix70-nat-pat.pdf (attached file). Although this a very typical set up, my endeavor failed miserably.
I did the same and allow users from the âoutside interfaceâ to access the same server in the DMZ, and it worked flawlessly.
I did check sysopt, and proxyarp was not disabled.
I strongly suspected this a bug in the software, because Cisco documented this could be done.
I would like a second pair of eyes to verify my configuration.
See the configuration and err msg in the attached "Message text - ASA5505 Static Mapping Problem.doc".
11-22-2007 11:04 PM
U do some modification on the config--
static (inside,dmz) 10.75.88.0 10.75.88.0 netmask 255.255.255.0
After modification, I m sure that the inside host can ping the dmz server.
Also check for the nat statement--
nat(dmz)1 0 0
11-23-2007 08:27 AM
Thanks Santukumar! I tried. But that did not help. By adding static (inside,dmz) 10.75.88.0 10.75.88.0 netmask 255.255.255.0. The firewall allows requests from DMZ to inside, which is opposite of what I tried to accomplish.
Tse
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide