Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

Let DMZ have a public network, static route?


My internet provider provides one /30 network and one /24 network over one link. No VLAN tagging is done by them. I would like not to use PAT and internal IP's on the DMZ, but to let DMZ hosts use IP's in the /24 network. I figure the ASA must know that incoming and outgoing traffic to and for the /24 should be routed to the DMZ. As I have no ASA in front of me now, I wonder if a static route on outside interface would be sufficient?

ASA primary WAN IP:

ASA DMZ interface IP:

ASA /24 network that goes to DMZ:


Would something like this route be sufficient?

ciscoasa(config-if)# route outside


Re: Let DMZ have a public network, static route?

You will not need to route traffic directly connected. You only need the default gateway.

If you are going to use the public IP in your DMZ then you will need to do NO nAT


access-list nonat per ip any

nat (dmz) 0 access-list nonat

That should work for outbound traffic

for inbound traffic you will need an ACL in your outside to permit the traffic.

BTW you cannot route traffic based on the source only based on the destination. (in the ASA)

Re: Let DMZ have a public network, static route?

Can you draw your topology to understand better?

New Member

Re: Let DMZ have a public network, static route?

Not very good at drawings, added an exchange server in DMZ. Hope it makes it more clear.

CreatePlease to create content