ASA5505 Static Mapping Problem - Possible bug with ver. 7.2(2)

etsemail99 · ‎11-22-2007

Hi all, I need a 2nd opinion here. I tried to configure my ASA5505 to allow users from the â€œinside interfaceâ€ to access a server in the DMZ (see attached drawing). I did this my using a static command:

Static (dmz, inside) mapped_internal_ip_address real_ip_dmz_ip_address netmask 255.255.255.255.

This is also documented in CISCO document ID 64758 - pix70-nat-pat.pdf (attached file). Although this a very typical set up, my endeavor failed miserably.

I did the same and allow users from the â€œoutside interfaceâ€ to access the same server in the DMZ, and it worked flawlessly.

I did check sysopt, and proxyarp was not disabled.

I strongly suspected this a bug in the software, because Cisco documented this could be done.

I would like a second pair of eyes to verify my configuration.

See the configuration and err msg in the attached "Message text - ASA5505 Static Mapping Problem.doc".

santukumar · ‎11-22-2007

U do some modification on the config--

static (inside,dmz) 10.75.88.0 10.75.88.0 netmask 255.255.255.0

After modification, I m sure that the inside host can ping the dmz server.

Also check for the nat statement--

nat(dmz)1 0 0

my mail--abhaycold@gmail.com

etsemail99 · ‎11-23-2007

Thanks Santukumar! I tried. But that did not help. By adding static (inside,dmz) 10.75.88.0 10.75.88.0 netmask 255.255.255.0. The firewall allows requests from DMZ to inside, which is opposite of what I tried to accomplish.

Tse