Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Access from dmz to internet, where internet and inside lan are on same interface

I have a scenerio, my outside and inside network are connected via inside interface of my firewall pix. And dmz is connected via dmz. Inside has security level 100 and dmz has 40,

from dmz i can access inside lan, but not able to access internet. KIndly help.

8 REPLIES
Cisco Employee

Re: Access from dmz to internet, where internet and inside lan a

Hello,

Do you have NAT rules configured to access internet from DMZ?

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

nat (dmz) 1 0.0.0.0 0.0.0.0

In the above example, the outside interface IP address will be shared by

both the inside and dmz clients when going to internet. Please make sure

that you have something similar configured. Also you need to check the

following things:

-- There are no access-list entries on the DMZ to block internet connection

-- You have access to the DNS server (if DNS server is on the inside subnet,

please configure a static NAT rule for the DNS server)

-- If you are using ASA5505 with base license, you will not be able to

communicate between the inside and outside simultaneously.

Hope this helps,

Regards,

NT

New Member

Re: Access from dmz to internet, where internet and inside lan a

but i dont have any outside interface configured.....

Outside- router---inside --firewall---dmz.

Outside and inside are on same side of firewall...

this config :

global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 1 0.0.0.0 0.0.0.0

I thnk as traffic is movig from lower to higher security level, we need a static nat.

But how can i use a static nat for all internet address, there is no option of wild card in static nat..

thanks in advance..

ashish

Cisco Employee

Re: Access from dmz to internet, where internet and inside lan a

Hello,

In that case, you can disable NAT control and remove the existing NAT

configurations.

ASA#configure terminal

ASA(config)#no nat-control

ASA(config)#clear configure nat

ASA(config)#clear configure global

ASA(config)#clear configure static

Since you have disabled the NAT requirement, all traffic will go to your

outside router without any NAT. Make sure that the outside router has a rule

to accommodate DMZ subnets in the NAT pool.

Hope this helps.

Regards,

NT

New Member

Re: Access from dmz to internet, where internet and inside lan a

i can check that, but for that i will need down time... as some connection will also dro

p.. second thing.... for traffic from lower to higher security level, dont we need static nat. ......

Cisco Employee

Re: Access from dmz to internet, where internet and inside lan a

Hello,

You do not need any NAT rule when you are going from lower security

interface to higher security interface.

Regards,

NT

New Member

Re: Access from dmz to internet, where internet and inside lan a

static (inside,dmz) 10.0.0.0 10.0.0.0 netmask 255.0.0.0 0 0
static (dmz,inside) 10.0.0.0 10.1.1.1 netmask 255.255.255.255 0 0

nat (dmz) 2 10.2.1.2 255.255.255.248 0 0
nat (dmz) 2 10.2.3.0 255.255.255.224 0 0
nat (dmz) 2 10.7.1.32 255.255.255.224 0 0
global (inside) 2 interface

will this help...

Cisco Employee

Re: Access from dmz to internet, where internet and inside lan a

Hello,

Few concerns:

static (dmz,inside) 10.0.0.0 10.1.1.1 netmask 255.255.255.255

This statement seems to be incorrect.

global (inside) 2 interface

Why are you mapping DMZ traffic to inside interface IP?

You do not need to statically map DMZ addresses to inside address unless

they are some servers. If you were trying to map the DNS server, your first

statement (static (inside,dmz) 10.0.0.0 10.0.0.0 netmask 255.0.0.0) takes

care of it.

Hope this helps.

Regards,

NT

New Member

Re: Access from dmz to internet, where internet and inside lan a

static (dmz,inside) 10.0.0.0 10.1.1.1 netmask 255.255.255.255

This is becoz..dmz and inside are using approx same kind of ip range means.. 10.*.*

becoz of this command access from dmz to inside is possible, but not towards internet......

In my firewall outside interface traffic is not even reaching,.. its getting dead before it.. some natting issue.



This statement seems to be incorrect.

global (inside) 2 interface

want to so that it will take inside ip addresss to go to internet...

Why are you mapping DMZ traffic to inside interface IP?

You do not need to statically map DMZ addresses to inside address unless
they are some servers. If you were trying to map the DNS server, your first
statement (static (inside,dmz) 10.0.0.0 10.0.0.0 netmask 255.0.0.0) takes
care of it.

301
Views
0
Helpful
8
Replies