How do I create a route from the Inside Network to the DMZ Network?

Posted on 2008-06-25
Last Modified: 2010-04-17
     I am trying to gain access from the Inside Network ( to the DMZ Network ( so we can see our Web Server from the Inside.  The code snippet shows our current configuration with some slight mods for privacy.  Everything is currently working, the VPN connections are going to the VPN Server, the POP3 and IMAP4 connections are going to the Mail Server and even Web Requests for X.X.X.2 are being directed to the Web Server in the DMZ.  But I just can not seem to get the setup correct to gain access from the Inside Network to the DMZ Network.  I am sure I am making it way harder than it should be.  Can someone point me in the right direction?
: Saved

: Written by enable_15 at 11:33:14.721 CST Tue Jun 24 2008


ASA Version 7.0(7) 


hostname COMPANY

domain-name company.local

enable password XXXXXXXXXXXXXXXX encrypted


name VPNServer

name MailServer

name WebServer



interface Ethernet0/0

 nameif outside

 security-level 0

 ip address X.X.X.1 


interface Ethernet0/1

 nameif inside

 security-level 100

 ip address 


interface Ethernet0/2

 nameif dmz

 security-level 50

 ip address 


interface Ethernet0/3


 no nameif

 no security-level

 no ip address


interface Management0/0

 nameif management

 security-level 100

 ip address 



passwd XXXXXXXXXXXXXXXX encrypted

ftp mode passive

clock timezone CST -6

access-list inbound extended permit tcp any interface outside eq pop3 

access-list inbound extended permit udp any interface outside eq isakmp 

access-list inbound extended permit tcp any interface outside eq imap4 

access-list inbound extended permit tcp any interface outside eq pptp 

access-list inbound extended permit tcp any host X.X.X.2 eq www 

access-list outbound extended permit tcp host MailServer any eq smtp 

access-list outbound extended deny tcp any any eq smtp 

access-list outbound extended permit ip any any 

pager lines 24

logging enable

logging trap informational

logging asdm informational

logging host inside

mtu outside 1500

mtu inside 1500

mtu dmz 1500

mtu management 1500

no failover

asdm image disk0:/asdm-507.bin

no asdm history enable

arp timeout 14400


global (outside) 1 interface

nat (inside) 1

nat (dmz) 1

static (inside,outside) tcp interface pptp VPNServer pptp netmask 

static (inside,outside) tcp interface pop3 MailServer pop3 netmask 

static (inside,outside) tcp interface imap4 MailServer imap4 netmask 

static (inside,outside) udp interface isakmp VPNServer isakmp netmask 

static (dmz,outside) X.X.X.2 WebServer netmask 

access-group inbound in interface outside

access-group outbound in interface inside

route outside 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

no sysopt connection permit-ipsec

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address management

dhcpd lease 3600

dhcpd ping_timeout 50

dhcpd enable management


class-map inspection_default

 match default-inspection-traffic



policy-map global_policy

 class inspection_default

  inspect dns maximum-length 512 

  inspect ftp 

  inspect h323 h225 

  inspect h323 ras 

  inspect rsh 

  inspect rtsp 

  inspect esmtp 

  inspect sqlnet 

  inspect skinny 

  inspect sunrpc 

  inspect xdmcp 

  inspect sip 

  inspect netbios 

  inspect tftp 

  inspect pptp 

  inspect http 


service-policy global_policy global

tftp-server inside /pix_config


: end

Open in new window

Question by:RHebbe

Expert Comment

ID: 21870131
you should eb able to get from inside to a lower security level by default.
LVL 28

Expert Comment

by:Jan Springer
ID: 21870181

Accepted Solution

RHebbe earned 0 total points
ID: 21926183
Ok.  I had missed 2 things.  First, we are part of a WAN and our WAN router was grabbing the 192.168.X.X network and shooting it out to our WAN.  Once I fixed that, I was missing following line  

static (inside,dmz) netmask

Once those 2 things were done, all is working correctly now.

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Cisco NBAR 6 31
How do to revert to start-up config on a Cisco Switch Stack 11 33
Read-only SNMP string example ? 7 73
CISCO ATA 190 using PRI DID number 6 24
The Cisco RV042 router is a popular small network interfacing device that is often used as an internet gateway. Network administrators need to get at the management interface to make settings, change passwords, etc. This access is generally done usi…
Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

910 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now