Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

New Member

the illusive inside to dmz nat issue

I am setting up my dmz area on my new 5520 and have the outside to dmz nat for a webserver working properly. However Im having trouble understanding what needs to be done for reaching that webserver on the inside. Reading of inside to dmz nat, identity nat, etc. below is partial config.... Im trying to access the 10.2.253.16 web server in dmz from inside thanks any advice is appreciated thanks

ASA Version 8.0(3)

!

hostname cdpasa1

domain-name xx.com

enable password BWaQlcykry5AAxTH encrypted

names

name 10.249.48.0 Hgnwhse description Hgnwhse

dns-guard

!

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address 74.x.x.2 255.255.255.224

!

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address 10.2.30.13 255.255.192.0

!

interface GigabitEthernet0/2

nameif DMZ

security-level 50

ip address 10.2.253.2 255.255.255.0

!

interface GigabitEthernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.3 255.255.255.0

management-only

!

passwd BWaQlcykry5AAxTH encrypted

boot system disk0:/asa803-k8.bin

ftp mode passive

dns server-group DefaultDNS

domain-name cecodoor.com

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

access-list cecovpn_splitTunnelAcl standard permit 10.0.0.0 255.0.0.0

access-list cecovpn_splitTunnelAcl standard permit 172.0.0.0 255.0.0.0

access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.0.0.0 10.2.23.0 255.255.255.128

access-list inside_nat0_outbound extended permit ip 172.0.0.0 255.0.0.0 10.2.23.0 255.255.255.128

access-list inside_nat0_outbound extended permit ip Hgnwhse 255.255.255.0 10.2.0.0 255.255.192.0

access-list outside_1_cryptomap extended permit ip any Hgnwhse 255.255.255.0

access-list outside_in extended permit tcp any host 74.x.x.13 eq www

access-list outside_in extended permit tcp any host 74.x.x.13 eq https

access-list outside_in extended permit tcp any host 74.x.x.14 eq www

access-list outside_in extended permit esp any any

access-list outside_in extended permit udp any any eq isakmp

access-list outside_in extended permit icmp any host 74.x.x.13

access-list outside_in extended permit icmp any host 74.x.x.16

access-list outside_in extended permit tcp any host 74.x.x.16 eq www

access-list outside_in extended permit tcp any host 74.x.x.16 eq https

access-list outside_in extended deny ip any any log

access-list inside_nat0 extended permit ip any 10.2.253.0 255.255.255.0

access-list inside_nat0 extended permit ip any 10.2.23.0 255.255.255.0

pager lines 24

logging enable

logging buffer-size 20000

logging monitor informational

logging buffered informational

logging asdm informational

logging from-address asa5520@cecodoor.com

logging recipient-address chays@cecodoor.com level errors

mtu outside 1500

mtu inside 1500

mtu management 1500

mtu DMZ 1500

ip local pool cdppool 10.2.23.50-10.2.23.100 mask 255.255.255.192

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp permit host 10.249.48.1 outside

icmp permit any outside

icmp permit any inside

asdm image disk0:/asdm-611.bin

no asdm history enable

arp timeout 14400

global (outside) 101 interface

nat (inside) 0 access-list inside_nat0_outbound

static (inside,outside) 74.x.x.13 10.2.18.13 netmask 255.255.255.255

static (inside,DMZ) 10.2.20.0 10.2.20.0 netmask 255.255.254.0

static (DMZ,outside) 74.x.x.16 10.2.253.16 netmask 255.255.255.255

access-group outside_in in interface outside

2 REPLIES
New Member

Re: the illusive inside to dmz nat issue

sorry, wrong area, I will repost in security area

Green

Re: the illusive inside to dmz nat issue

Mark,

This statement is all you need as long as the inside client is part of 10.2.20.0 255.255.254.0.

static (inside,DMZ) 10.2.20.0 10.2.20.0 netmask 255.255.254.0

110
Views
0
Helpful
2
Replies
CreatePlease to create content