×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

ASA static NAT problem

Answered Question
Mar 23rd, 2012
User Badges:

Dear  boss


Please see attached my network diagram and following configuration.


interface Ethernet0/0

nameif local

security-level 100

ip address 192.168.0.243 255.255.255.0

!

interface Ethernet0/1

nameif outside

security-level 0

ip address 10.0.0.2 255.255.255.252

!

interface Ethernet0/2

nameif DMZ

security-level 50

ip address 172.29.1.1 255.255.255.0


access-list DMZTOLocal extended permit ip host 192.168.0.241 192.168.0.0 255.255.0.0


static (DMZ,local) 192.168.0.241 172.29.1.5 netmask 255.255.255.255


access-group DMZTOLocal out interface local


policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect icmp


I get ping and access to 192.168.0.241(172.29.1.5) from 192.168.0.0/16, but cant get access and ping from 172.29.1.5 to 192.168.0.0/16.


what can i do if i want to get ping from DMZ to local ? ??

Please suggest me.


Thanking u

Shahid

Attachment: 
Correct Answer by John Blakley about 5 years 4 months ago

Shahid,


The ASA/Pix firewalls allow you to go from a higher security level to lower security level by default, but blocks traffic coming the other direction. You'll need to add an acl on the dmz interface allowing the traffic into you local lan from the dmz.


As a side not, is there a reason that you're natting into the DMZ from your local side? You shouldn't if you can help it.


access-list FromDMZ permit icmp host 172.29.1.5 192.168.0.0 255.255.255.0


access-group FromDMZ in interface DMZ


John


Please rate useful posts...

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
John Blakley Sat, 03/24/2012 - 06:01
User Badges:
  • Purple, 4500 points or more

Shahid,


The ASA/Pix firewalls allow you to go from a higher security level to lower security level by default, but blocks traffic coming the other direction. You'll need to add an acl on the dmz interface allowing the traffic into you local lan from the dmz.


As a side not, is there a reason that you're natting into the DMZ from your local side? You shouldn't if you can help it.


access-list FromDMZ permit icmp host 172.29.1.5 192.168.0.0 255.255.255.0


access-group FromDMZ in interface DMZ


John


Please rate useful posts...

Actions

This Discussion