Link to home
Start Free TrialLog in
Avatar of RAMU CH
RAMU CHFlag for India

asked on

Access to Outside and DMZ Networks at a time from a PC at inside

Hi ,

My PC is at Inside Network, I Have Natted my PC to DMZ Zone IP address ,later my i am unable to access to outside Network over ASA Firewall..If i remove the entry then DMZ network is not coming.

Will you pls give the respective rule / entry to make access both the Networks at a time

Avatar of fgasimzade
Flag of Azerbaijan image

You dont need NAT to access DMZ. Can you post your config?
you use nat only to acces the internet. if you want to acces the dmz you only need routing between dmz and inside network.
Not correct.   You would need NAT in the form of either a GLOBAL or a NONAT ACL to get from the inside zone to the lower security level zones (DMZ and outside).  

If I hear correctly, you have outside working, but not dmz.   If you remove outside, then DMZ works.    Sounds to me like you have a 5505 on a standard lic that only allows NAT through to 1 zone.  

Can you run a SHOW VER on the ASA and post results.   Also, post a sanitized config.  

when you configure security for lan- to- dmz you must control acces but you don't use nat, what passible reason do you have to translate address when access the dmz from inside ?
Yes you control access, but you still need to allow the traffic with global or a nat.     True, there is no reason to translate the addresses.  That's why you would use a NONAT for the inside subnet to get to the DMZ.  
Avatar of RAMU CH



Mine is ASA  5520

AH Version Output is :

NEW-TCL-ILL-FW# sh version

Cisco Adaptive Security Appliance Software Version 8.0(5)
Device Manager Version 6.0(3)

Compiled on Mon 02-Nov-09 21:22 by builders
System image file is "disk0:/asa805-k8.bin"
Config file at boot was "startup-config"

NEW-TCL-ILL-FW up 27 days 11 hours

Hardware:   ASA5520, 512 MB RAM, CPU Pentium 4 Celeron 2000 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash M50FW080 @ 0xffe00000, 1024KB

Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
                             Boot microcode   : CN1000-MC-BOOT-2.00
                             SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
                             IPSec microcode  : CNlite-MC-IPSECm-MAIN-2.05
 0: Ext: GigabitEthernet0/0  : address is 001e.f762.d380, irq 9
 1: Ext: GigabitEthernet0/1  : address is 001e.f762.d381, irq 9
 2: Ext: GigabitEthernet0/2  : address is 001e.f762.d382, irq 9
 3: Ext: GigabitEthernet0/3  : address is 001e.f762.d383, irq 9
 4: Ext: Management0/0       : address is 001e.f762.d37f, irq 11
 5: Int: Not used            : irq 11
 6: Int: Not used            : irq 5
 Licensed features for this platform:
Maximum Physical Interfaces  : Unlimited
Maximum VLANs                : 150
Inside Hosts                 : Unlimited
Failover                     : Active/Active
VPN-DES                      : Enabled
VPN-3DES-AES                 : Enabled
Security Contexts            : 2
GTP/GPRS                     : Disabled
VPN Peers                    : 750
WebVPN Peers                 : 2
AnyConnect for Mobile        : Disabled
AnyConnect for Linksys phone : Disabled
Advanced Endpoint Assessment : Disabled
UC Proxy Sessions            : 2

This platform has an ASA 5520 VPN Plus license.

Serial Number: JMX1215L20S
Running Activation Key: 0xd0134977 0x14b7c6fd 0xb411f51c 0xbf54f070 0x0f1aa9ab
Configuration register is 0x1
Configuration last modified by enable_15 at 05:11:03.888 UTC Thu Aug 11 2011

How to give command of Nat 0 to the Inside IP address to DMZ because if you give NAT 0 , it wll apply both DMZ and Outside also,

Pls suggest.


Avatar of RAMU CH



No woth with NAT 0 because when i want to go to Internet , my IP transalting as it then

see the below output

NEW-TCL-ILL-FW# sh xlate interface inside local
206 in use, 1213 most used
Global Local
Global Local

Here my  iP address ..

Avatar of MikeKane
Flag of United States of America image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of RAMU CH