Access to Outside and DMZ Networks at a time from a PC at inside

RAMU CH
RAMU CH used Ask the Experts™
on
Hi ,

My PC is at Inside Network, I Have Natted my PC to DMZ Zone IP address ,later my i am unable to access to outside Network over ASA Firewall..If i remove the entry then DMZ network is not coming.

Will you pls give the respective rule / entry to make access both the Networks at a time

Regards
ramu
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Top Expert 2011

Commented:
You dont need NAT to access DMZ. Can you post your config?
you use nat only to acces the internet. if you want to acces the dmz you only need routing between dmz and inside network.
Top Expert 2010

Commented:
Not correct.   You would need NAT in the form of either a GLOBAL or a NONAT ACL to get from the inside zone to the lower security level zones (DMZ and outside).  

If I hear correctly, you have outside working, but not dmz.   If you remove outside, then DMZ works.    Sounds to me like you have a 5505 on a standard lic that only allows NAT through to 1 zone.  

Can you run a SHOW VER on the ASA and post results.   Also, post a sanitized config.  

when you configure security for lan- to- dmz you must control acces but you don't use nat, what passible reason do you have to translate address when access the dmz from inside ?
Top Expert 2010

Commented:
Yes you control access, but you still need to allow the traffic with global or a nat.     True, there is no reason to translate the addresses.  That's why you would use a NONAT for the inside subnet to get to the DMZ.  

Author

Commented:
Hi,

Mine is ASA  5520

AH Version Output is :

NEW-TCL-ILL-FW# sh version

Cisco Adaptive Security Appliance Software Version 8.0(5)
Device Manager Version 6.0(3)

Compiled on Mon 02-Nov-09 21:22 by builders
System image file is "disk0:/asa805-k8.bin"
Config file at boot was "startup-config"

NEW-TCL-ILL-FW up 27 days 11 hours

Hardware:   ASA5520, 512 MB RAM, CPU Pentium 4 Celeron 2000 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash M50FW080 @ 0xffe00000, 1024KB

Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
                             Boot microcode   : CN1000-MC-BOOT-2.00
                             SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
                             IPSec microcode  : CNlite-MC-IPSECm-MAIN-2.05
 0: Ext: GigabitEthernet0/0  : address is 001e.f762.d380, irq 9
 1: Ext: GigabitEthernet0/1  : address is 001e.f762.d381, irq 9
 2: Ext: GigabitEthernet0/2  : address is 001e.f762.d382, irq 9
 3: Ext: GigabitEthernet0/3  : address is 001e.f762.d383, irq 9
 4: Ext: Management0/0       : address is 001e.f762.d37f, irq 11
 5: Int: Not used            : irq 11
 6: Int: Not used            : irq 5
 Licensed features for this platform:
Maximum Physical Interfaces  : Unlimited
Maximum VLANs                : 150
Inside Hosts                 : Unlimited
Failover                     : Active/Active
VPN-DES                      : Enabled
VPN-3DES-AES                 : Enabled
Security Contexts            : 2
GTP/GPRS                     : Disabled
VPN Peers                    : 750
WebVPN Peers                 : 2
AnyConnect for Mobile        : Disabled
AnyConnect for Linksys phone : Disabled
Advanced Endpoint Assessment : Disabled
UC Proxy Sessions            : 2

This platform has an ASA 5520 VPN Plus license.

Serial Number: JMX1215L20S
Running Activation Key: 0xd0134977 0x14b7c6fd 0xb411f51c 0xbf54f070 0x0f1aa9ab
Configuration register is 0x1
Configuration last modified by enable_15 at 05:11:03.888 UTC Thu Aug 11 2011


How to give command of Nat 0 to the Inside IP address to DMZ because if you give NAT 0 , it wll apply both DMZ and Outside also,

Pls suggest.

Regards
Ramu



Author

Commented:
Hi,

No woth with NAT 0 because when i want to go to Internet , my IP transalting as it is..so then

see the below output

NEW-TCL-ILL-FW# sh xlate interface inside local 172.16.10.22
206 in use, 1213 most used
Global 172.16.10.22 Local 172.16.10.22
Global 172.16.10.22 Local 172.16.10.22

Here my  iP address 172.16.10.22 ..

Regards
Ramu
Top Expert 2010
Commented:
I need to see a full config from the ASA.  Sanitize it removing any public IPs, passwords, etc...  and post here please.

Author

Commented:
Thanks

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial