Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA 5515X DMZ reachability issue

Hello everyone,
I want to migrate a client network from ASA 8.2 to 9.1. Presently, the 8.2 box takes LAN users to the internet, and to a webserver in the DMZ. The DMZ server is assessed both from the LAN with a private IP address and from the internet using its public IP address. 
After translating the current 8.2 config, LAN users can assess the internet, but cannot browse the webserver in the DMZ; but 'weirdly' can ping it; so icmp is going to the webserver from the LAN, but can't be reached by http. Kindly share a sample config, if you have conquered this before. Bear in mind that NAT is different in 9.1 compared to 8.2. Here is a part of the config.

interface GigabitEthernet0/0
 nameif outsideif
 security-level 0
 ip address outside-if 
interface GigabitEthernet0/1
 nameif insideif
 security-level 100
 ip address inside-if 
interface GigabitEthernet0/2
 nameif dmzif
 security-level 50
 ip address dmz-if 
object network DMZ-webserver
object network DMZ-webserver_public_IP
 host 1XX.2X.4.13
access-list outsideacl extended permit tcp any object DMZ-webserver eq www
access-list dmzacl extended permit ip any any
nat (dmzif,outsideif) source static DMZ-webserver DMZ-webserver_public_IP
object network inside-lan_outside
 nat (insideif,outsideif) dynamic interface
route outsideif outside-router 1
route insideif inside-router 1





There are no other access-lists in the running config.
Many thanks in advance.

New Member

I understand you are new to 9

I understand you are new to 9.x NAT, there are couple interesting link for NAT conversion


Hope the above link helps!!




Tushar Bangia


Please rate the post if you find it helpful!!

CreatePlease to create content