08-06-2010 06:00 AM - edited 03-11-2019 11:21 AM
I have a scenerio, my outside and inside network are connected via inside interface of my firewall pix. And dmz is connected via dmz. Inside has security level 100 and dmz has 40,
from dmz i can access inside lan, but not able to access internet. KIndly help.
08-06-2010 06:05 AM
Hello,
Do you have NAT rules configured to access internet from DMZ?
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 1 0.0.0.0 0.0.0.0
In the above example, the outside interface IP address will be shared by
both the inside and dmz clients when going to internet. Please make sure
that you have something similar configured. Also you need to check the
following things:
-- There are no access-list entries on the DMZ to block internet connection
-- You have access to the DNS server (if DNS server is on the inside subnet,
please configure a static NAT rule for the DNS server)
-- If you are using ASA5505 with base license, you will not be able to
communicate between the inside and outside simultaneously.
Hope this helps,
Regards,
NT
08-06-2010 06:16 AM
but i dont have any outside interface configured.....
Outside- router---inside --firewall---dmz.
Outside and inside are on same side of firewall...
this config :
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 1 0.0.0.0 0.0.0.0
I thnk as traffic is movig from lower to higher security level, we need a static nat.
But how can i use a static nat for all internet address, there is no option of wild card in static nat..
thanks in advance..
ashish
08-06-2010 06:26 AM
Hello,
In that case, you can disable NAT control and remove the existing NAT
configurations.
ASA#configure terminal
ASA(config)#no nat-control
ASA(config)#clear configure nat
ASA(config)#clear configure global
ASA(config)#clear configure static
Since you have disabled the NAT requirement, all traffic will go to your
outside router without any NAT. Make sure that the outside router has a rule
to accommodate DMZ subnets in the NAT pool.
Hope this helps.
Regards,
NT
08-06-2010 06:30 AM
i can check that, but for that i will need down time... as some connection will also dro
p.. second thing.... for traffic from lower to higher security level, dont we need static nat. ......
08-06-2010 06:40 AM
Hello,
You do not need any NAT rule when you are going from lower security
interface to higher security interface.
Regards,
NT
08-06-2010 06:06 AM
static (inside,dmz) 10.0.0.0 10.0.0.0 netmask 255.0.0.0 0 0
static (dmz,inside) 10.0.0.0 10.1.1.1 netmask 255.255.255.255 0 0
nat (dmz) 2 10.2.1.2 255.255.255.248 0 0
nat (dmz) 2 10.2.3.0 255.255.255.224 0 0
nat (dmz) 2 10.7.1.32 255.255.255.224 0 0
global (inside) 2 interface
will this help...
08-06-2010 06:12 AM
Hello,
Few concerns:
static (dmz,inside) 10.0.0.0 10.1.1.1 netmask 255.255.255.255
This statement seems to be incorrect.
global (inside) 2 interface
Why are you mapping DMZ traffic to inside interface IP?
You do not need to statically map DMZ addresses to inside address unless
they are some servers. If you were trying to map the DNS server, your first
statement (static (inside,dmz) 10.0.0.0 10.0.0.0 netmask 255.0.0.0) takes
care of it.
Hope this helps.
Regards,
NT
08-06-2010 06:20 AM
static (dmz,inside) 10.0.0.0 10.1.1.1 netmask 255.255.255.255
This is becoz..dmz and inside are using approx same kind of ip range means.. 10.*.*
becoz of this command access from dmz to inside is possible, but not towards internet......
In my firewall outside interface traffic is not even reaching,.. its getting dead before it.. some natting issue.
This statement seems to be incorrect.
global (inside) 2 interface
want to so that it will take inside ip addresss to go to internet...
Why are you mapping DMZ traffic to inside interface IP?
You do not need to statically map DMZ addresses to inside address unless
they are some servers. If you were trying to map the DNS server, your first
statement (static (inside,dmz) 10.0.0.0 10.0.0.0 netmask 255.0.0.0) takes
care of it.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide