Solved

ASA 5505: access from Single Machine in DMZ to all internal machines on a specific port

Posted on 2011-09-26
3
240 Views
Last Modified: 2012-05-12
WE have a pix on a stub network. We have 2 DMZs on it and want to allow a PC which is on it's own in one of the DMZ's and needs to contact the PC's on the internal network . Is it possible to do dynamic nat from outside to inside?  Can I have an example based on below.

ASA 5505

DMZ1 , Sec level 50 Int Address 192.168.2.1 /24    PC address 192.168.2.100
Inside,  Sec level 100 Int Address 172.16.2.1 /16    PC address Range 172.16.2.10 - 20

Thanks
0
Comment
Question by:bentham1
  • 2
3 Comments
 
LVL 17

Expert Comment

by:Garry-G
ID: 36598421
Would you really need NAT at all? Yes, NAT should work, but have you tried setting up an NAT excemption? If the ASA is the Default Gateway for both the DMZ and the inside network, nothing else should be necessary ... (or, you could configure the "allow traffic through firewall without NAT" option, then all you need is the access list entry)
0
 

Author Comment

by:bentham1
ID: 36598658
For some reason, NAT is a requirement. Can't make that out myself - but I am too far down the pecking order!!
0
 
LVL 17

Accepted Solution

by:
Garry-G earned 500 total points
ID: 36598737
OK, using ASDM, just go to the NAT rules and add a new static policy rule with Original Interface as the DMZ interface you have the PC in, source the PCs IP, destination 172.16.2.0/27 (covers .1-.31), translated interface the internal interface, "Use IP address" some internal IP (don't use the interface IP address or you won't be able to connect to the FW anymore through it), then possibly add port translation if you want to limit it (or add them as access rules). That should do the trick.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This is about downgrading PIX Version 8.0(4) & ASDM 6.1(5) to PIX 7.2(4) and ASDM 5.2(4) but with only 64MB RAM and 16MB flash. Background: You have a Cisco Pix 515E which was running on PIX 7.2(4) and its supporting ASDM 5.2(4) without any i…
When I upgraded my ASA 8.2 to 8.3, I realized that my nonat statement was failing!   The log showed the following error:     %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows It was caused by the config upgrade, because t…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

825 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question