Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

nat dmz to inside

Hello my name is Ivan:

I have a cisco asa 5520 ios 8.2. This is my configuration

asa# sh run name

name 192.168.1.2 HOST-DMZ

name 10.24.1.8 HOST-LAN

asa# sh run nat

nat (inside) 1 10.24.1.0 255.255.255.0

nat (dmz) 1 192.168.1.0 255.255.255.255.0

asa# sh run global

global (dmz) 1 1 interface

global (outside) 1 interface

asa# sh sh run static

static (inside,outside) 172.24.10.4 10.24.1.8 netmask 255.255.255.255

static (dmz,outside) 172.24.10.5 192.168.1.2 netmask 255.255.255.255

static (dmz,inside) 10.24.1.8 192.168.1.2 netmask 255.255.255.255.

asa# sh run access-list

access-list ACLS-RED-LAN  permit ip host 10.24.1.8 any log

access-list ACLS-RED-DMZ permit ip host 192.168.1.2 any log

access-list ACLS-RED-OUTSIDE any permit ip host 172.24.10.4 log

access-list ACLS-RED-OUTSIDE any permit ip host 172.24.10.5 log

access-group ACLS-RED-LAN in interface inside

access-group ACLS-RED-DMZ in interface dmz

access-group ACLS-RED-OUTSIDE in interface outside

Acoording it, i can access in the two host from:

inside to outside...OK

inside to dmz.......OK

outside to inside...OK

outside to dmz.....OK

But i can not access from DMZ to INSIDE. Please could you give me and advice to resolv it.

Thanks Regards

Ivan

3 REPLIES

nat dmz to inside

Hi Ivan ,

Please paste : sh run nat-control

If nat-control is enabled you will need one more static for the server on the inside :

static (inside,dmz) 192.168.1.8 10.24.1.8

And you will access the inside host from dmz as 192.168.1.8 - if 192.168.1.8 is already used in your setup , then change it.

Regards

Dan

nat dmz to inside

So Ivan,

DMZ to inside is usually traffic flowing from lower to higher so you need a biderectional nat rule:

Please try the following:

static (inside,dmz)  10.24.1.0  10.24.1.0

Then configure an acl on the DMZ

access-list dmz permit ip any 10.24.1.0 255.255.255.0

access-group dmz in interface dmz

Of course I am being general, you can be as restrictive as you want with the NAT and the ACLs.

Do rate all the helpful posts

Julio!!!

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

nat dmz to inside

Hello Julio

According your advice, when i configure static (inside,dmz) 10.24.1.8 10.24.1.8, i cannot access from dmz to outside

MAybe another advice?

Thanks

Regards

488
Views
0
Helpful
3
Replies
CreatePlease to create content