How do I create a route from the Inside Network to the DMZ Network?

Posted on 2008-06-25
Last Modified: 2010-04-17
     I am trying to gain access from the Inside Network ( to the DMZ Network ( so we can see our Web Server from the Inside.  The code snippet shows our current configuration with some slight mods for privacy.  Everything is currently working, the VPN connections are going to the VPN Server, the POP3 and IMAP4 connections are going to the Mail Server and even Web Requests for X.X.X.2 are being directed to the Web Server in the DMZ.  But I just can not seem to get the setup correct to gain access from the Inside Network to the DMZ Network.  I am sure I am making it way harder than it should be.  Can someone point me in the right direction?
: Saved

: Written by enable_15 at 11:33:14.721 CST Tue Jun 24 2008


ASA Version 7.0(7) 


hostname COMPANY

domain-name company.local

enable password XXXXXXXXXXXXXXXX encrypted


name VPNServer

name MailServer

name WebServer



interface Ethernet0/0

 nameif outside

 security-level 0

 ip address X.X.X.1 


interface Ethernet0/1

 nameif inside

 security-level 100

 ip address 


interface Ethernet0/2

 nameif dmz

 security-level 50

 ip address 


interface Ethernet0/3


 no nameif

 no security-level

 no ip address


interface Management0/0

 nameif management

 security-level 100

 ip address 



passwd XXXXXXXXXXXXXXXX encrypted

ftp mode passive

clock timezone CST -6

access-list inbound extended permit tcp any interface outside eq pop3 

access-list inbound extended permit udp any interface outside eq isakmp 

access-list inbound extended permit tcp any interface outside eq imap4 

access-list inbound extended permit tcp any interface outside eq pptp 

access-list inbound extended permit tcp any host X.X.X.2 eq www 

access-list outbound extended permit tcp host MailServer any eq smtp 

access-list outbound extended deny tcp any any eq smtp 

access-list outbound extended permit ip any any 

pager lines 24

logging enable

logging trap informational

logging asdm informational

logging host inside

mtu outside 1500

mtu inside 1500

mtu dmz 1500

mtu management 1500

no failover

asdm image disk0:/asdm-507.bin

no asdm history enable

arp timeout 14400


global (outside) 1 interface

nat (inside) 1

nat (dmz) 1

static (inside,outside) tcp interface pptp VPNServer pptp netmask 

static (inside,outside) tcp interface pop3 MailServer pop3 netmask 

static (inside,outside) tcp interface imap4 MailServer imap4 netmask 

static (inside,outside) udp interface isakmp VPNServer isakmp netmask 

static (dmz,outside) X.X.X.2 WebServer netmask 

access-group inbound in interface outside

access-group outbound in interface inside

route outside 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

no sysopt connection permit-ipsec

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address management

dhcpd lease 3600

dhcpd ping_timeout 50

dhcpd enable management


class-map inspection_default

 match default-inspection-traffic



policy-map global_policy

 class inspection_default

  inspect dns maximum-length 512 

  inspect ftp 

  inspect h323 h225 

  inspect h323 ras 

  inspect rsh 

  inspect rtsp 

  inspect esmtp 

  inspect sqlnet 

  inspect skinny 

  inspect sunrpc 

  inspect xdmcp 

  inspect sip 

  inspect netbios 

  inspect tftp 

  inspect pptp 

  inspect http 


service-policy global_policy global

tftp-server inside /pix_config


: end

Open in new window

Question by:RHebbe

Expert Comment

ID: 21870131
you should eb able to get from inside to a lower security level by default.
LVL 28

Expert Comment

by:Jan Springer
ID: 21870181

Accepted Solution

RHebbe earned 0 total points
ID: 21926183
Ok.  I had missed 2 things.  First, we are part of a WAN and our WAN router was grabbing the 192.168.X.X network and shooting it out to our WAN.  Once I fixed that, I was missing following line  

static (inside,dmz) netmask

Once those 2 things were done, all is working correctly now.

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

We've been using the Cisco/Linksys RV042 for years as: - an internet Gateway - a site-to-site VPN device - a leased line site-to-site subnet-to-subnet interface (And, here I'm assuming that any RV0xx behaves the same way as an RV042.  So that's …
This article will cover setting up redundant ISPs for outbound connectivity on an ASA 5510 (although the same should work on the 5520s and up as well).  It’s important to note that this covers outbound connectivity only.  The ASA does not have built…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now