Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Cisco ASA configuration

Hi everyone,

I have a problem configuring a cisco ASA 5510 - 8.4 :

I have attached a picture of the network :

Could you help me with the configuration needed to have the host within the DMZ subnet talk to the PI server and vice versa.

at the moment I can only ping from both subnet from the firewall.

End to end devices canot go through.


Thank you very much.

  • Firewalling
Everyone's tags (1)
New Member

If NAT is configured properly

If NAT is configured properly, the default traffic flow policies will work. You'll configure the outside interface as security level 0 (least trusted interface) and the inside interface is typically security level 100. A DMZ will typically be somewhere in between, like 50. By default, the ASA allows traffic from more-trusted interfaces out less-trusted interfaces, and the state tracking on the ASA will allow return traffic. In this case, even though the DMZ is not a "trusted" interface, it's more trusted than the outside interface, so traffic from the DMZ will be allowed out the outside interface. (Traffic from the DMZ would NOT be allowed out the inside interface unless specifically allowed by an access list.)

For the NAT configuration, you'll want an object group that represents the DMZ subnet or host, and then configure:

object network <object-group_name>
 nat (<dmz_interface_name>,<outside_interface_name>) dynamic interface

That will allow the PI server to know where to send the response without having to have a route to the DMZ subnet.

That's the very basics. There's a lot more you need to know to configure other features (management access, SNMP traps, etc.) that that should get you started.


VIP Green

just for clarification, is

just for clarification, is the PI server directly connected (on the same subnet) as the outside interface? Reason I ask is that you have the PI server at A.B.C.80 while the ASA is on A.B.C.250.  I so then the address E.F.G.1 and E.F.G.35 are management IPs?

Also, which host is considered to be in the DMZ, the H.I.J.1 or K.L.M.37?

Please clarify these points so we can help you further.  Also please post a full running config of the ASA (sanitised) so we can see what you have configured so far.


Please remember to rate and select a correct answer

-- Please remember to rate and select a correct answer
This widget could not be displayed.