Cisco Support Community

How to configure ASA 5500 with policy nat to access a machine by its real and public IP


The device in the Demilitarized Zone (DMZ) that needs to be accessed by its natted or unnatted IP address can be accessed with policy natting.

Refer to this example:

access-list tac permit ip host x.x.x.x any

static (dmz,outside) netmask
static (dmz,inside)   netmask
static (dmz,inside) x.x.x.x access-list tac

For more information, refer to the static command.


I think this is not a acceptable quality document in any way.

what means that a DMZ can be accesed by its public and private address? from where?

The config is not possible.

Community Member

Is the assumption that there is a server in the DMZ that the inside needs to get to on its internal IP and the outside world needs to get to it on the pulblic?

If so, you can nat 0 the traffic from the internal to the DMZ and from the DMZ into the Inside

Also, I beleive Alejabdro is correct in saying that this is not a valid command.  Options are:

configure mode commands/options:
  Hostname or A.B.C.D  Global or mapped address
  interface            Global address overload from interface
  tcp                  TCP to be used as transport protocol
  udp                  UDP to be used as transport protocol