static nats and dmz access to the internet

Unanswered Question
Jul 15th, 2010
User Badges:

Using an ASA5500, I have the following allowing the outside to access servers on the dmz:

static (dmz,outside) netmask
static (dmz,outside) netmask
static (dmz,outside) netmask


access-list incoming_outside extended permit tcp any host eq www

access-list incoming_outside extended permit tcp any host eq https

access-list incoming_outside extended permit tcp any host eq www


access-group incoming_outside in interface outside

So the outside can access the public address on the respective ports, and that works ok.

However, we also want to allow DMZ servers to access the Internet, so we have the following:

nat (dmz) 2

global (outside) 2

But the question is, when dmz servers access the internet should they be pat'ed to their static translation IP address or to global 2?

For example, if is to access the internet, should it be pat'ed to or

I think the issue we are facing is that it goes out as one public IP and comes back as another public IP which could be the reason dmz cannot get to the internet.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Kevin Redmon Thu, 07/15/2010 - 13:32
User Badges:
  • Cisco Employee,


The order-of-operations of NAT is as below:

1.) nat 0 access-list (nat-exempt)

2.) existing translations

3.) match static commands (first match)

- static NAT with and without access-list

- static PAT with and without access-list

4.) Match NAT commands

- nat access-list (first match)

- nat (best match)

With that being said, if a DMZ host does NOT belong to the nat-exempt access-list rule or have an existing translation, it will go out as the

Any syslogs that you can provide (at the debug level) with the error that you are getting are greatly appreciated.

Best Regards,


Nagaraja Thanthry Thu, 07/15/2010 - 13:48
User Badges:
  • Cisco Employee,


Are you able to access your servers from internet? If that is working, then there should not be any issues from the NAT side. I am thinking the issue is with your DNS settings. Are you using DNS server on the inside interface for address resolution? If yes, do you have rules to allow that communication? Can you try to configure as your DNS server and see if you can browse internet? Also, if you have any access-list on the DMZ interface, make sure that internet traffic is allowed.

Note: When you go to internet from DMZ servers, they will take their static translationa addresses. If you do not have a static translation, then they will go with dynamic pool.

Hope this helps.




This Discussion