Cisco ASA same security traffic

Unanswered Question
May 7th, 2010

I can't get the AirDMZ network to talk to inside network. What am I missing here?

interface GigabitEthernet0/0
speed 100
nameif Outside
security-level 0
ip address
ospf cost 10
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address
ospf cost 10
interface GigabitEthernet0/2
nameif AirDMZ
security-level 100
ip address
ospf cost 10

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list outbound_AirDMZ extended permit ip any any
access-list inside extended permit icmp any any
access-list inbound_AirDMZ extended deny tcp any any eq 445
access-list inbound_AirDMZ extended permit ip any any
global (Outside) 1 interface
global (AirDMZ) 1 interface
nat (Outside) 0 access-list natout
nat (Outside) 1 access-list outsidenat
nat (inside) 0 access-list no-nat
nat (inside) 1
nat (AirDMZ) 1

static (inside,AirDMZ) netmask
access-group outside_acl in interface Outside
access-group inside_acl in interface inside
access-group inbound_AirDMZ in interface AirDMZ
access-group outbound_AirDMZ out interface AirDMZ

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jennifer Halim Fri, 05/07/2010 - 17:21

The following static statement is incorrect:

static (inside,AirDMZ) netmask

It should be changed to:

static (inside,AirDMZ) netmask

"clear xlate" after the above changes, and AirDMZ should be able to communicate with the inside network.

Hope that helps.

Riju Kalarickal Fri, 05/07/2010 - 17:29

It didn't help.

I do a packet trace, it stops here:-


match ip AirDMZ inside any

dynamic translation to pool 1 (No matching global)

translate_hits = 1858, untranslate_hits = 0

RESULT - The packet is dropped.

Jennifer Halim Fri, 05/07/2010 - 18:37

Try the following:

1) Remove "nat (AirDMZ) 1"

2) clear xlate

3) Test the connection from AirDMZ towards inside

4) Readd "nat (AirDMZ) 1" for AirDMZ network to browse the Internet

What version of ASA are you running? Might be a bug if it's matching the dynamic NAT instead of the static, as static NAT should take precedence over dynamic NAT.

Also please share the latest of following output if it still doesn't work:

sh run nat

sh run global

sh run static

and all ACL that is assigned to the above show outputs. Thanks.


This Discussion