Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.


inside to dmz

hi all,

suppose i have one server (x) on the inside interface of ASA which need to access server (y) on the DMZ interface of the ASA for specific port e.g. 25 & 21

but in doing so the server (x) ip address e.g. should be natted to ( the subnet configured on the DMZ

server (x) need to access server (y) having ip address

what would be the best possible way to do so, i have tried using access-list and global but i get error message on syslog portmap translation creation failed, now i was thinking of doing it using static from (inside,dmz) using access list - PAT

any help would be great


Re: inside to dmz

Try this

Your static and acl should be similar to this.

static (inside,DMZ) netmask 0 0

access-list inside_access_in permit tcp host host eq 21

access-list inside_access_in permit tcp host host eq 25

access-group inside_access_in in interface inside


Re: inside to dmz

hi jorgemcse,

This would leave the without being translated, but like i said earlier i want to be translated to , a subnet configured on the DMZ

hope this clear out my point of question

Re: inside to dmz


Then creating PAT for dmz interface is one way of doing it , allocate an address for it under the subnet and create PAT, or using the dmz-interface itself as PAT device.

e.g regular pat

global (DMZ) 1


global (DMZ) 1 interface


Re: inside to dmz

What is the error exaclty that you are getting. Ideally you dont need an ACL when going from inside to dmz.

It should only have one statement

static (inside,DMZ) netmask

You can try this and if it works then you can create an ACL on the DMZ interface for restricting the ports.

Just out of you have the nat-control enabled.

--Pls rate if it helps--