Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Cisco ASA (8.4) ACL / NAT query.


i have to allow machine in my DMZ across Cisco ASA (version 8.4) to be able to access inside machine.

Source must be able to access complete secure inside on port smtp but all other DMZ machine should not be able to access inside

i created as below.

object network obj-static-identity-


nat (inside,dmz) 1 source static  obj-static-identity- obj-static-identity-

access-list DMZ line 111 extended permit tcp host eq smtp


Now when i put this line , access from Source 10.80.10.x/23 complete network towards DMZ is lost, like no one can access DMZ at all.

access-list DMZ line 117 extended deny ip  any  ( this ACL in on DMZ In direction )

if i dont do above line, then how can i secure my inside from rest of DMZ sources.

Please note there is a line in DMZ at the end, that is

access-list DMZ line 118 extended permit ip any

We know line 117 is above 118 and cause response packet from DMZ to to stop working, but why traffic from towards DMZ stops working.


Any idea?


  • WAN Routing and Switching