NAT Issues

Unanswered Question
Jun 21st, 2010
User Badges:

I am having issues resolving dns and I am thinking it is my nat configuration.

I have a cisco asa 5510 with these settings

Outside / inside / dmz1 / dmz2

On my outside iface i have an ip of 192.168.1.### <--- this ip address goes to the ISA

inside iface ip address of 10.100.2.###  this subnet has my dns server with an ip address of 10.100.2.##  the gw for this is

The DMZ2 subnet has the ip subnet of 10.0.0.### gw for this is

My problem is on my DMZ computers I am unable to access the internet. I have created a NAT rule which translates to my outside iface

I also have a perimeter firewall and an ISA before this firewall...

I can see the traffic in my logs going out from inside to outside but I am unable to hit the net...

Any ideas?

I am thinking it is something in my NAT configuration but not sure what....

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Federico Coto F... Mon, 06/21/2010 - 14:23
User Badges:
  • Green, 3000 points or more


If I understand correctly, you're trying to access the Internet from the DMZ.

For this you need to NAT the traffic of the DMZ to the outside.

It seems you have a private IP on the outside, so by NATing the DMZ traffic to the outside, you will need another NAT to allow the DMZ to get out to the Internet. My question will be... who is doing NAT for Internet traffic, the ISA server?

Can you permit ICMP through the ASA and see if you can PING the ISA server from the DMZ hosts?

Please answer the questions and post the ouput of:

sh run nat

sh run global

sh run static

sh run access-group

sh run access-list


castortroy78 Tue, 06/22/2010 - 06:55
User Badges:

I will post configuration output.

There setup is basically firewall / isa / firewall

the perimeter firewall has public ip on the outside and private on inside which talks to the outside of the isa , the inside of the isa talks to outside of third firewall.... the isa is what allows connections from insdide to get out and reach internet.

The third firewall has these interfaces currently

Outside - Talks to the ISA

Inside - Internal network ( Currently can connect to internet)

DMZ1 - Webserver

DMZ2 - This one has the issues. Cant get to internet.

DMZ3 - ssh server

DMZ2 houses an auth server (radius) and a keytoken auth appliance which talks to the radius server

castortroy78 Tue, 06/22/2010 - 09:48
User Badges:

sh run nat

nat (inside) 1
nat (DMZ2_Int) 1

sh run global

global (outside) 1 netmask
global (outside) 1 netmask

sh run static

static (inside,inside) xy_network netmask
static (inside,outside) netmask
static (inside,outside) ##.##.##.### netmask
static (inside,DMZ) netmask

sh run access-group

access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group DMZ_access_in in interface DMZ
access-group DMZ2_Int_access_in in interface DMZ2_Int

sh run access-list

access-list outside_access_in extended deny ip any log
access-list DMZ_access_in extended deny ip any log
access-list inside_nat0_outbound extended permit ip any
access-list inside_access_in extended deny ip any log
access-list inside_access_in extended permit ip any any
access-list global_mpc extended permit ip any any
access-list DMZ2_Int_access_in extended permit object-group DM_INLINE_SERVICE_1 any
access-list DMZ2_Out extended permit ip any

Ok here is what I have


This Discussion