Hi Federico, sorry for the delay in responding, I have had a crazy amount of work to do recently.

It was the NAT 0 bit that stopped it working for me; I did wonder if it was affecting it, but I use the same 'no nat' statements on the "nat (inside) 0 acl" as for the  "nat (dmz) 0 acl", and it works for the inside to dmz traffic correctly (?)

If I keep the NAT 0 for the classful subnets, is it possible to have a DENY statement in the ACL? Hopefully this would allow the permitted traffic to pass between my LAN and DMZ using their real addresses (e.g. if I had servers with IPs 192.168.0.2, 192.168.100.3, etc), but for the server with the real address of 192.168.0.1, I will need to use the NATed address of 172.16.0.1

e.g.

access-list TEST extended deny ip host 192.168.0.1 host 172.16.0.1

access-list TEST extended deny ip  host 172.16.0.1 host 192.168.0.1

access-list TEST extended permit ip 172.16.0.0 255.255.0.0 192.168.0.0 255.255.0.0

access-list TEST extended permit ip 192.168.0.0 255.255.0.0 172.16.0.0 255.255.0.0

nat (inside) 0 access-list TEST

nat (dmz) 0 access-list TEST

static (dmz,inside) 172.16.0.1 192.168.0.1 netmask 255.255.255.255

static (dmz,outside) 172.16.0.1 192.168.0.1 netmask 255.255.255.255

Many thanks for your help

Ian

Hi - I have found a problem with this setup as my server in the DMZ is a web proxy server.

I can now connect to it using its NATed address of 172.16.0.1, but because of the static (dmz,outside) 172.16.0.1 192.168.0 1, the server cannot get to the internet. Instead of using the global outside address of the firewall it is using 172.16.0.1 and getting dumped.

...fixed it (I think) using policy static natting:

e.g.

access-list TEST ext perm ip host 192.168.0.1 172.16.0.0 255.255.0.0

static (dmz,outside) 172.16.0.1 access-list TEST

Hi Federico, I have it working for my Lan-to-Lan VPNs now, but not my remote access VPNs - the difference being that L2L VPNs have a subnet in the 172.16.0.0 range, but remote access VPNs have a subnet in the 192.168.0.0 by default; I have one remote access VPN in the172.16.0.0 range and it is working correctly. I have tried adding:

access-list TEST ext perm ip host 192.168.0.1 192.168.0.0 255.255.0.0

but this has not fixed it, so I am stumped at the moment.

Hi Federico, I had an all encompassing  NAT0 statement that was stopping it from working (192.168.0.0 /16 to 192.168.0.0 /16) - once I removed this it fixed the problem - so I am able to use my static (dmz,inside) policy NAT from my inside LAN, my LAN-2-LAN VPNs and my Remote Access VPNs.

Thank you very much for all your help.

Now that everything is 'working' I have a new problem in that because this is meant for a web-proxy server, this configuration now stops the true source IP from getting to the server, thereby breaking the logging of web requests for audit purposes. The server 'sees' the firewall interface IP for all web requests - I shall start a new thread for this.

p.s. it will be a nightmare trying to extract the relevant rules to post :-(

Hi,

I just replied in your other post.

Let me know please.

Federico.