CISCO ASA 5520 configuration problems

Unanswered Question
Aug 23rd, 2009

Guys I'm stuck and need as much help as possible please. I'm from Guyana, South America. I have my ISP connected to one cisco 2800 series Router connected to a Cisco ASA 5520 firewall then to a dell power connect switch then 9 small networks on Cisco 881 Routers. Also from the ASA 5520 I have my servers connected as DMZ. Now What I want to accomplish is for my DMZ to have outbound and inbound access to the internet and my small networks to reach the DMZ and also the internet. Also VPN from remote networks to access the DMZ. below is my current running-config on the ASA 5520.

ASA Version 7.2(4)



domain-name GPF.LOCAL

enable password


passwd encrypted


interface GigabitEthernet0/0

nameif OUTSIDE

security-level 0

ip address

interface GigabitEthernet0/1

nameif INSIDE

security-level 100

ip address

interface GigabitEthernet0/2

nameif DMZ

security-level 50

ip address

interface GigabitEthernet0/3


no nameif

no security-level

no ip address

interface Management0/0

nameif management

security-level 100

ip address



ftp mode passive

dns server-group DefaultDNS

domain-name GPF.LOCAL

same-security-traffic permit intra-interface

object-group protocol ip-allow

protocol-object ip

protocol-object icmp

protocol-object udp

protocol-object tcp

access-list OUTSIDE_access_in extended permit object-group ip-allow any

access-list OUTSIDE_access_in extended permit tcp any

access-list INSIDE_access_out extended permit ip any any

access-list DMZ_access_out extended permit ip any any

access-list OUTSIDE_1_cryptomap extended permit ip

access-list INSIDE_nat0_outbound extended permit ip

access-list allow_outside_connections extended permit icmp any any echo-reply

access-list allow_outside_connections extended permit icmp any any source-quench

access-list allow_outside_connections extended permit icmp any any unreachable

access-list allow_outside_connections extended permit icmp any any time-exceeded

pager lines 24

logging enable

logging asdm informational

mtu OUTSIDE 1500

mtu INSIDE 1500

mtu DMZ 1500

mtu management 1500

no failover

monitor-interface OUTSIDE

monitor-interface INSIDE

monitor-interface DMZ

monitor-interface management

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-524.bin

no asdm history enable

arp timeout 14400

global (OUTSIDE) 101 netmask

global (OUTSIDE) 200 interface

global (INSIDE) 1 netmask

global (DMZ) 1 netmask

nat (INSIDE) 0 access-list INSIDE_nat0_outbound

nat (INSIDE) 1

nat (INSIDE) 101

nat (DMZ) 1 outside

access-group OUTSIDE_access_in in interface OUTSIDE

access-group INSIDE_access_out out interface INSIDE

access-group DMZ_access_out out interface DMZ

route OUTSIDE 1

route INSIDE 1

route DMZ 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

http server enable

http management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
mark.stclaire Mon, 08/24/2009 - 08:30

hey Josh! thanks so far, I'm off to a running start. However I still have some issues.

I might be able to help you with part of your problem. I had a similar situation on my network the other day.

If you check your logs after one of your small networks tries to access the DMZ you might see an error about not having a translation group. I am not sure if this is the correct way of doing it but it worked for me.

You need a STATIC statement for the ASA to pass traffic from the LAN > DMZ and vice versa, without it trying to NAT. So your statement would look something like this:

STATIC (inside,DMZ) netmask

if your ACLs are correct then this should work. Like I said before though, I am not sure if this is the correct and secure way of doing it, but I know this worked for me.


This Discussion