2 x ASA communicating from DMZ;Inside;Inside;Outside

Unanswered Question
Aug 12th, 2008


I have 2 x ASA and i am trying to get a server in the DMZ asa1 to communicate to Outside asa 2.

The path it takes is the following:

asa1 DMZ Inside

asa2 Inside Outside

But the above does not work i dont see packets getting to Outside asa2. Is this a problem with security levels or is it not possible to pass traffic from the interfaces via two firewalls.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
purohit_810 Tue, 08/12/2008 - 05:02

I think your setup look like this,

1) Both firewall's outside interface connected to switch.

2) DMZ server is connected on only one firewall.

If this is the case then you should put a switch in DMZ connect server with switch and connect both firewall's DMZ to the switch.

Now it will be... route from inside to DMZ from both are firewalls.



Marwan ALshawi Tue, 08/12/2008 - 05:03

as i understood

asa dmz>>inside>>asa2inside>>asa2 outside

i will assume the following example


DMZ network


inside IP



inside IP

on the asa 1 do the following

static (DMZ, inside) netmask

route inside

access-list 100 permit ip any

access-group in interface DMZ

(asumeing that inside security level 100 and dmz less than 100)

now asa 2

route inside

if u want access to the packet come from outside asa2 to dmz asa1 add the follwoing

access-list 101 permit ip any

access-group 101 in outside

good luck

please, if helpfull rate

network_team Tue, 08/12/2008 - 05:54

As you can see the is unable to access the webserver on The traffic from goes through the asa1 and out via 18.8.88.x on the asa2, but we do not see any traffic going to asa for access to

asa1 dmz security level 4

asa1 inside security level 100

asa2 inside security level 100

asa2 outside security level 0

Marwan ALshawi Tue, 08/12/2008 - 06:53

if u can post the config of both asa 1 and 2

will be easier to solve it

however the idea i have mentioned above stile valid for ur case

but if u can post the config will save time for us

Marwan ALshawi Thu, 08/14/2008 - 18:34

try to add the following and let me know

on ASA_1

access-list 100 permit ip host Web host cx01

access-group in interface outside

on ASA_2

access-list 100 permit host cx01 host Web

access-gorup in interface DMZ

good luck

Marwan ALshawi Fri, 08/15/2008 - 02:53

what is this for on ASA 1

route outside Web 1


if the web server connected to the outside asa 1 subnet directly remove this line

remove this line from asa 2 aswel:

route DMZ CX01 1

and keep the acls i have given to u


reload the both fire walls and test it then let me know

good luck


This Discussion