Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

ASA Firewall Problem DMZ access and NAT

Unanswered Question
Feb 19th, 2010
User Badges:

ASA Firewall Problem DMZ access and NAT

clients in INSIDE can't access private ip in DMZ zone

clients in INSIDE can't access NAT ip in from DMZ and inside zone

can't ssh from internet to outside interface

i have command

ssh outside

thank for best support

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Federico Coto F... Sat, 02/20/2010 - 12:44
User Badges:
  • Green, 3000 points or more


For clients in INSIDE to access DMZ host, just need dynamic NAT (if using NAT) and verify there's no ACL on the INSIDE blocking the traffic.

To allow SSH to the outside, you also have to have the crypto rsa keys, which are derived from the name/domain of the ASA.

Could you attach the sh run?


samart_sri Sun, 02/21/2010 - 11:24
User Badges:

Thank very mush Federico.

for ssh issue i use "crypto key generate rsa" again it's ok.

but now client from inside can't access to dmz network and clients device can't use ip nat to access server [but i can use private ip for access]


server ip : => nat

clients from inside can access into but can't access

clients must use public ip because clients call website from public web its use publice ip

i attach show run for your analyze

Thank you very much for best support


Kureli Sankar Sun, 02/21/2010 - 13:46
User Badges:
  • Cisco Employee,


The inside hosts should address the DMZ hosts NOT using the public address.

Pls. fix this probelm and have DNS resolve to the private address and not public.

If this is not possible then you can add the following.

static (dmz,inside) net

This should work.


samart_sri Sun, 02/21/2010 - 18:08
User Badges:

Thank Kusankar,

          i can't have dns server and i try to use static (dmz,inside) net but inside's clients don't access to dmz-network.please help me. and server in inside-network its nat already. inside's clients don't access them via nat ip [public ip] but can access via private ip its ok.

thank you best support.


Federico Coto F... Sun, 02/21/2010 - 21:08
User Badges:
  • Green, 3000 points or more

If the inside network wants to reach server on DMZ via its public IP, then all you need is the static that KS suggested:

static (dmz,inside)

I assume from your post, that the inside clients resolve the IP for your DMZ server, and that's
why you want to reach the server from the inside using the public IP...

The above static statement should do it....

Could you verify that the DNS response that you're getting for your server is the public IP?
Can you PING from the inside network?

From the configuration, it should work, if still does not work, please use the Packet Tracer utility from CLI or ASDM and that will show you which process in the ASA is denying the traffic (or check the logs)


samart_sri Sun, 02/21/2010 - 22:10
User Badges:

Thank Federico,

          Because , user access website then click link to access service [the link in url link public IP don't link to dns name of server] , if user stay @ office always use access to website and click link in web for acess not input private IP to access.

Thank you for best support.


Federico Coto F... Mon, 02/22/2010 - 13:28
User Badges:
  • Green, 3000 points or more

Let's  make sure that is not a problem with the server itself...

With the STATIC in place, you should be able to PING the public IP from the INSIDE network. Is this working?

If not, could you post the results from the packet tracer utility?



This Discussion