Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

DMZ Configuration

I am trying to setup a dmz and I am running into problems. I setup a windows server in the dmz thinking I would be able to ping it or at least access the fileshare. No luck. (No I won't do this in a production environment) I am new at setting up a dmz and want to get the hang of how things will work. The ASA I am working with is currently in a test environment.

The quick startup guide for the Cisco ASA appliance suggests doing the following.

DMZ = /24

internal = /24

global (dmz) 50 netmask

nat (inside) 50

I then put a windows machine in the DMZ and configured it with an IP of

What I have found is I get no xlate, and I can't access the server via ping or the file share.

I have seen some references on this forum recommend

static (inside,dmz) netmask

Any suggestions...thanks

Cisco Employee

Re: DMZ Configuration

In the above case, Static is a better route to take since the packets are between the Inside and DMZ.

static (inside,dmz) netmask

In the above case, any traffic going to the DMZ will get translated to So the DMZ network will see the inside network as And if the DMZ is going to initiate the traffic to inside destined for, make sure the ACL applied on the DMZ permits this traffic.



*Pls rate if it helps*

Re: DMZ Configuration

In addition you can do a nonat exempt acl instead towards either direction if you intend to

simply NAT excempt both networks dmz and inside .

access-list nonat extended permit ip

access-list nonat extended permit ip

nat (dmz) 0 access-list nonat

Best is to reference this link to understand NAT in firewalls


CreatePlease to create content