Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

ASA static NAT problem

Dear  boss

Please see attached my network diagram and following configuration.

interface Ethernet0/0

nameif local

security-level 100

ip address 192.168.0.243 255.255.255.0

!

interface Ethernet0/1

nameif outside

security-level 0

ip address 10.0.0.2 255.255.255.252

!

interface Ethernet0/2

nameif DMZ

security-level 50

ip address 172.29.1.1 255.255.255.0

access-list DMZTOLocal extended permit ip host 192.168.0.241 192.168.0.0 255.255.0.0

static (DMZ,local) 192.168.0.241 172.29.1.5 netmask 255.255.255.255

access-group DMZTOLocal out interface local

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect icmp

I get ping and access to 192.168.0.241(172.29.1.5) from 192.168.0.0/16, but cant get access and ping from 172.29.1.5 to 192.168.0.0/16.

what can i do if i want to get ping from DMZ to local ? ??

Please suggest me.

Thanking u

Shahid

1 ACCEPTED SOLUTION

Accepted Solutions

Re: ASA static NAT problem

Shahid,

The ASA/Pix firewalls allow you to go from a higher security level to lower security level by default, but blocks traffic coming the other direction. You'll need to add an acl on the dmz interface allowing the traffic into you local lan from the dmz.

As a side not, is there a reason that you're natting into the DMZ from your local side? You shouldn't if you can help it.

access-list FromDMZ permit icmp host 172.29.1.5 192.168.0.0 255.255.255.0

access-group FromDMZ in interface DMZ

John

Please rate useful posts...

HTH, John *** Please rate all useful posts ***
1 REPLY

Re: ASA static NAT problem

Shahid,

The ASA/Pix firewalls allow you to go from a higher security level to lower security level by default, but blocks traffic coming the other direction. You'll need to add an acl on the dmz interface allowing the traffic into you local lan from the dmz.

As a side not, is there a reason that you're natting into the DMZ from your local side? You shouldn't if you can help it.

access-list FromDMZ permit icmp host 172.29.1.5 192.168.0.0 255.255.255.0

access-group FromDMZ in interface DMZ

John

Please rate useful posts...

HTH, John *** Please rate all useful posts ***
247
Views
0
Helpful
1
Replies
CreatePlease to create content