Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

ASA5505 Static Mapping Problem - Possible bug with ver. 7.2(2)

Hi all, I need a 2nd opinion here. I tried to configure my ASA5505 to allow users from the “inside interface” to access a server in the DMZ (see attached drawing). I did this my using a static command:

Static (dmz, inside) mapped_internal_ip_address real_ip_dmz_ip_address netmask 255.255.255.255.

This is also documented in CISCO document ID 64758 - pix70-nat-pat.pdf (attached file). Although this a very typical set up, my endeavor failed miserably.

I did the same and allow users from the “outside interface” to access the same server in the DMZ, and it worked flawlessly.

I did check sysopt, and proxyarp was not disabled.

I strongly suspected this a bug in the software, because Cisco documented this could be done.

I would like a second pair of eyes to verify my configuration.

See the configuration and err msg in the attached "Message text - ASA5505 Static Mapping Problem.doc".

2 REPLIES
Community Member

Re: ASA5505 Static Mapping Problem - Possible bug with ver. 7.2(

U do some modification on the config--

static (inside,dmz) 10.75.88.0 10.75.88.0 netmask 255.255.255.0

After modification, I m sure that the inside host can ping the dmz server.

Also check for the nat statement--

nat(dmz)1 0 0

my mail--abhaycold@gmail.com

Community Member

Re: ASA5505 Static Mapping Problem - Possible bug with ver. 7.2(

Thanks Santukumar! I tried. But that did not help. By adding static (inside,dmz) 10.75.88.0 10.75.88.0 netmask 255.255.255.0. The firewall allows requests from DMZ to inside, which is opposite of what I tried to accomplish.

Tse

245
Views
0
Helpful
2
Replies
CreatePlease to create content