Buy or Renew
Buy or Renew
Cisco + Splunk: Itā€™s a new day for your data. Learn more.
Ā 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
461
Views
0
Helpful
1
Replies

ASA static NAT problem

Go to solution
shahid_duet
Level 1
Level 1

ā€Ž03-23-2012 10:36 PM - edited ā€Ž03-04-2019 03:47 PM

Dear  boss

Please see attached my network diagram and following configuration.

interface Ethernet0/0

nameif local

security-level 100

ip address 192.168.0.243 255.255.255.0

!

interface Ethernet0/1

nameif outside

security-level 0

ip address 10.0.0.2 255.255.255.252

!

interface Ethernet0/2

nameif DMZ

security-level 50

ip address 172.29.1.1 255.255.255.0

access-list DMZTOLocal extended permit ip host 192.168.0.241 192.168.0.0 255.255.0.0

static (DMZ,local) 192.168.0.241 172.29.1.5 netmask 255.255.255.255

access-group DMZTOLocal out interface local

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect icmp

I get ping and access to 192.168.0.241(172.29.1.5) from 192.168.0.0/16, but cant get access and ping from 172.29.1.5 to 192.168.0.0/16.

what can i do if i want to get ping from DMZ to local ? ??

Please suggest me.

Thanking u

Shahid

Labels:
Preview file
51 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
John Blakley
VIP Alumni
VIP Alumni

ā€Ž03-24-2012 06:01 AM

Shahid,

The ASA/Pix firewalls allow you to go from a higher security level to lower security level by default, but blocks traffic coming the other direction. You'll need to add an acl on the dmz interface allowing the traffic into you local lan from the dmz.

As a side not, is there a reason that you're natting into the DMZ from your local side? You shouldn't if you can help it.

access-list FromDMZ permit icmp host 172.29.1.5 192.168.0.0 255.255.255.0

access-group FromDMZ in interface DMZ

John

Please rate useful posts...

HTH, John *** Please rate all useful posts ***

View solution in original post

0 Helpful
1 Reply 1

Go to solution
John Blakley
VIP Alumni
VIP Alumni

ā€Ž03-24-2012 06:01 AM

Shahid,

The ASA/Pix firewalls allow you to go from a higher security level to lower security level by default, but blocks traffic coming the other direction. You'll need to add an acl on the dmz interface allowing the traffic into you local lan from the dmz.

As a side not, is there a reason that you're natting into the DMZ from your local side? You shouldn't if you can help it.

access-list FromDMZ permit icmp host 172.29.1.5 192.168.0.0 255.255.255.0

access-group FromDMZ in interface DMZ

John

Please rate useful posts...

HTH, John *** Please rate all useful posts ***
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card