Cisco Support Community
Community Member

ASA 5510 VPN does not work after trying to add DMZ

i had asa 5510 set up for remote access VPN and everything was working fine untill i tried to add DMZ. VPN users cannot connect any more and to make things worst i cannot backtrack and fix the problem. here are bits of my config:

interface Ethernet0/0

description OUTSIDE

nameif outside

security-level 0

ip address dhcp setroute


interface Ethernet0/1

description INSIDE

nameif inside

security-level 100

ip address


interface Ethernet0/2

description DMZ

nameif dmz

security-level 10

ip address


access-list nonat extended permit ip

access-list split standard permit

(there are not other access lists - on any interface in any direction)

global (outside) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1

static (inside,dmz) netmask

static (dmz,outside) interface netmask

the only part that i really added was the last two lines. that's when i figured out that users cannot VPN so i didn't continue with DMZ setup. and after adding the last line the response that i got was:

WARNING: static redireting all traffics at outside interface;

WARNING: all services terminating at outside interface are disabled.

now even if i try to

no static (inside,dmz) netmask

no static (dmz,outside) interface netmask

the VPN does not work.

any help is appreciated...


Re: ASA 5510 VPN does not work after trying to add DMZ

When you used the dmz static you broke everything else. That command stated that for the interface outside that ip only translates to the dmz server.

remove the static (dmz,outside) interface netmask

re-apply your crypto's to the outside interface. verify that works.

use static pat for your dmz:

static (inside,outside) tcp interface port_number port_number netmask

Staic PAT:

Hope this helps



Please rate if helpful!

Community Member

Re: ASA 5510 VPN does not work after trying to add DMZ

hi chad, this was extremly helpful. thanks a lot. one more question:

static (inside,outside) tcp interface [port number] [port number] netmask

this command forwards all traffic from [port number] coming in on outside interface to [port number] on, right? when i used

static (dmz,outside) interface netmask

i was able to access the internet from DMZ. without it i cannot. any ideas? thanks again.


Re: ASA 5510 VPN does not work after trying to add DMZ

This will pat your dmz clients using the global interface.

nat (dmz) 1 (all dmz hosts)

nat (dmz) 1 (only that server)

The static would be needed if you had a service running on that server like a web page. Then you would create the static command using port 80.

CreatePlease to create content