Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

ASA static NAT problem

Dear boss

I m using ASA5510 for DMZ. Please see my attached diagram and configuration.

interface Ethernet0/0

nameif local

security-level 100

ip address 192.168.0.243 255.255.255.0

!

interface Ethernet0/1

nameif outside

security-level 0

ip address 10.0.0.2 255.255.255.252

!

interface Ethernet0/2

nameif DMZ

security-level 50

ip address 172.29.1.1 255.255.255.0

access-list DMZTOLocal extended permit ip host 192.168.0.241 192.168.0.0 255.255.0.0

static (DMZ,local) 192.168.0.241 172.29.1.5 netmask 255.255.255.255

access-group DMZTOLocal out interface local

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect icmp

My out side NAT is ok. I get local  to DMZ  ie 192.168.0.0/16 to 192.168.0.241(172.29.1.5),  but not getting 172.29.1.5 to 192.168.0.0/16.

What can i do if i want to get DMZ to Local ???

Please suggest me.

Thanking You

shahid

2 REPLIES
New Member

ASA static NAT problem

I have some issues with your design.

Firstly I am not used to a inside interface ( a lan), with IP address ending in   .243, I am used to .1

My knowledge is limited so it might be perfectly legitimate.

Secondly with a basic license at least on the ASA5505, the DMZ could only be used for DMZ or internet bound traffic.

The internal lan could reach the DMZ or the internet.

Make sure your license permits a fully functioning DMZ.

Thirdly, I really dont care about your config at this point.  I would like to know in words, what your requirements are first.  Then we can look at implementation.  What is it that you need in your work environement in concepts.

ASA static NAT problem

your:

access-list DMZTOLocal extended permit ip host 192.168.0.241 192.168.0.0 255.255.0.0

will still not allow access from DMZ--->Local

access-list DMZTOLocal extended permit ip host 172.29.1.5 192.168.0.0 255.255.0.0

and apply this to your  DMZ interface in  access-group DMZTOLOCAL in interface DMZ

also, fire up your packet tracer in ASDM and see what drops your traffic,

Regards

Dennis

Please remember to rate useful posts, by clicking on the stars below.

262
Views
0
Helpful
2
Replies
CreatePlease to create content