Solved

ASA 5505: access from Single Machine in DMZ to all internal machines on a specific port

Posted on 2011-09-26
3
232 Views
Last Modified: 2012-05-12
WE have a pix on a stub network. We have 2 DMZs on it and want to allow a PC which is on it's own in one of the DMZ's and needs to contact the PC's on the internal network . Is it possible to do dynamic nat from outside to inside?  Can I have an example based on below.

ASA 5505

DMZ1 , Sec level 50 Int Address 192.168.2.1 /24    PC address 192.168.2.100
Inside,  Sec level 100 Int Address 172.16.2.1 /16    PC address Range 172.16.2.10 - 20

Thanks
0
Comment
Question by:bentham1
  • 2
3 Comments
 
LVL 17

Expert Comment

by:Garry-G
Comment Utility
Would you really need NAT at all? Yes, NAT should work, but have you tried setting up an NAT excemption? If the ASA is the Default Gateway for both the DMZ and the inside network, nothing else should be necessary ... (or, you could configure the "allow traffic through firewall without NAT" option, then all you need is the access list entry)
0
 

Author Comment

by:bentham1
Comment Utility
For some reason, NAT is a requirement. Can't make that out myself - but I am too far down the pecking order!!
0
 
LVL 17

Accepted Solution

by:
Garry-G earned 500 total points
Comment Utility
OK, using ASDM, just go to the NAT rules and add a new static policy rule with Original Interface as the DMZ interface you have the PC in, source the PCs IP, destination 172.16.2.0/27 (covers .1-.31), translated interface the internal interface, "Use IP address" some internal IP (don't use the interface IP address or you won't be able to connect to the FW anymore through it), then possibly add port translation if you want to limit it (or add them as access rules). That should do the trick.
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

Suggested Solutions

How to configure Site to Site VPN on a Cisco ASA.     (version: 1.1 - updated August 6, 2009) Index          [Preface]   1.    [Introduction]   2.    [The situation]   3.    [Getting started]   4.    [Interesting traffic]   5.    [NAT0]   6.…
There are many useful and sometimes not well documented or forgotten IOS or ASA/PIX commands. See IPE article here , there was also one on PacketU and on Cisco Tips & Tricks. Below are my favorites. I give also a few most often used for Cisco IPS an…
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now