Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

ASA static NAT problem

Dear boss

I m using ASA5510 for DMZ. Please see my attached diagram and configuration.

interface Ethernet0/0

nameif local

security-level 100

ip address


interface Ethernet0/1

nameif outside

security-level 0

ip address


interface Ethernet0/2

nameif DMZ

security-level 50

ip address

access-list DMZTOLocal extended permit ip host

static (DMZ,local) netmask

access-group DMZTOLocal out interface local

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect icmp

My out side NAT is ok. I get local  to DMZ  ie to,  but not getting to

What can i do if i want to get DMZ to Local ???

Please suggest me.

Thanking You


New Member

ASA static NAT problem

I have some issues with your design.

Firstly I am not used to a inside interface ( a lan), with IP address ending in   .243, I am used to .1

My knowledge is limited so it might be perfectly legitimate.

Secondly with a basic license at least on the ASA5505, the DMZ could only be used for DMZ or internet bound traffic.

The internal lan could reach the DMZ or the internet.

Make sure your license permits a fully functioning DMZ.

Thirdly, I really dont care about your config at this point.  I would like to know in words, what your requirements are first.  Then we can look at implementation.  What is it that you need in your work environement in concepts.

ASA static NAT problem


access-list DMZTOLocal extended permit ip host

will still not allow access from DMZ--->Local

access-list DMZTOLocal extended permit ip host

and apply this to your  DMZ interface in  access-group DMZTOLOCAL in interface DMZ

also, fire up your packet tracer in ASDM and see what drops your traffic,



Please remember to rate useful posts, by clicking on the stars below.

CreatePlease to create content