Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

ASA 5505 inside access to dmz

I have an ASA 5505 setup with 3 vlans (outside 0, dmz 50, and inside 100). I can't figure out how to allow the clinets on the inside vlan access to the dmz. inside has access to internet, dmz has access to internet, and internet has access to dmz. My config is attached (I do have a site to site ipsec vpn that is working)

4 REPLIES
Community Member

Re: ASA 5505 inside access to dmz

One thing I did see was this

access-list nonat extended permit ip 192.168.99.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.99.0 255.255.255.0 192.168.1.0 255.255.255.0 log debugging

shouldnt 192.168.1.0 be 192.168.100.0

Community Member

Re: ASA 5505 inside access to dmz

192.168.1.0 is my remote site to site vpn. I think those statements were added for to support the vpn, but I really do not remember.

Re: ASA 5505 inside access to dmz

looks like you have an issue with your NAT configs.

what is this "static (dmz,inside) 192.168.99.46 71.x.x.46 netmask 255.255.255.255" used for ? is the x.x same as in

"static (dmz,outside) 71.x.x.46 192.168.99.46 netmask 255.255.255.255"

try configuring nat exemption from DMZ to INSIDE and see if it helps.

Community Member

Re: ASA 5505 inside access to dmz

Try this,

Remove

static (inside,dmz) 192.168.100.0 192.168.100.0 netmask 255.255.255.0

Use this as well,

access-list inside_nat0_outbound extended permit ip 192.168.100.0 255.255.255.0 192.168.99.0 255.255.255.0

488
Views
0
Helpful
4
Replies
CreatePlease to create content