12-23-2008 06:12 AM - edited 03-11-2019 07:28 AM
I am configuring a ASA5505 with DMZ. I have local lan 192.168.103/24 and DMZ 10.103.1.0/24. I am able to connect from LAN to DMZ using 10.103.1.0/24 address but not the other way around. I can add either a static or dymanic NAT for this.
I'm not sure how to configure the NAT to allow DMZ host to connect to 192.168.103.0/24. I will control access through ACL rather than trying to "hide" them via NAT from the VPN.
Solved! Go to Solution.
12-23-2008 06:37 AM
Apologies, there is a typo in the command - should be
static (inside,dmz) 192.168.103.0 192.168.103.0 netmask 255.255.255.0
but you already have this line in your config
static (inside,dmz) 10.103.1.0 192.168.103.0 netmask 255.255.255.0
you need to remove this unless you need it in which case if you need it you can't add the line i gave you.
Jon
12-23-2008 06:24 AM
If you just want to connect from DMZ to real addresses on the inside
static (inside,dmz) 192.168.103.0 192.168.103.0 255.255.255.0
and then as you say allow traffic with an acl on the dmz interface.
Jon
12-23-2008 06:33 AM
12-23-2008 06:37 AM
Apologies, there is a typo in the command - should be
static (inside,dmz) 192.168.103.0 192.168.103.0 netmask 255.255.255.0
but you already have this line in your config
static (inside,dmz) 10.103.1.0 192.168.103.0 netmask 255.255.255.0
you need to remove this unless you need it in which case if you need it you can't add the line i gave you.
Jon
12-23-2008 06:49 AM
You're an absolute star! I've been looking at this for last few hours and I needed it in by Christmas.
Many many thanks.
I was trying to create a rule each way which was causing my problem I think - ie translate inside to DMZ and DMZ to inside. I think that where the other static came in.
12-23-2008 06:59 AM
Glad to have helped and thanks for the rating.
Jon
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: