09-24-2008 01:09 PM - edited 03-11-2019 06:49 AM
Hi,
I have the flowing config
global (outside) 1 interface
global (inside) 1 interface
global (dmz) 1 interface
nat (dmz) 1 0.0.0.0 0.0.0.0
nat (dmz) 1 0.0.0.0 0.0.0.0 outside
Currently, DMZ users can access inside and outside via NAT
Once I add nat(inside) 1 0 0 , I can't access the inside PCs from DMZ.....I would like to allow inside users to go outside via nat(inside) and global(outside) ...any suggestions
I have asa 5505 ver 7.2(4).
Thanks,
09-25-2008 01:34 AM
You need to look at your NAT design, I would use something like:-
Global (outside) 1 interface
NAT (inside) 1 x.x.x.x y.y.y.y
NAT (DMZ) 1 w.w.w.w z.z.z.z
nat (inside) 0 access-list no-nat
nat (dmz) 0 access-list no-nat
access-list no-nat permit ip x.x.x.x y.y.y.y w.w.w.w z.z.z.z
access-list no-nat permit ip w.w.w.w z.z.z.z x.x.x.x y.y.y.y
x.x.x.x = Inside IP subnet
y.y.y.y = Subnet mask
w.w.w.w = DMZ IP Subnet
z.z.z.z = Subnet mask
The above will NAT the Inside to the outside using the firewall outside IP address.
It will nat the DMZ to the outside using the firewall outside IP address.
It will NOT nat the Inside to the DMZ
It will NOT nat the DMZ to the Inside
Is there a specific reason why you need to NAT from inside to dmz and dmz to inside?
HTH>
09-25-2008 05:06 AM
Just remove :
global (inside) 1 interface
Using :
no global (inside) 1 interface
everything should work just fine with ur config. then.
Do rate helpful posts.
Regards,
Sushil
09-25-2008 01:28 PM
I need global (inside) 1 interface rule because all users in DMZ come to inside via one IP
09-25-2008 01:55 PM
I would probably use a static nat based on an acl.
HTH>
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide