ASA 5505 NAT/PAT static Question

Hi NG,

i got following problem to solve:

I got one single public ip address where by i PAT all my internal

192.168.X.Y networks. I got one DMZ interface using 192.168.2.X. I got internal hosts as example 192.168.3.X.

now with the following config, my hosts from the internal network as well as the dmz hosts can get out to 0.0.0.0 without a problem.

My current problem is, that i cannot connect from my internal 192.168.3.X network via my outside PAT address on to services with are hostet in the DMZ (192.168.2.X) what is the correct "static" config for connecting from inside via PAT address into my DMZ ?

global (outside) 1 interface nat (inside) 0 access-list inside_nat0_outbound nat (inside) 1 0.0.0.0 0.0.0.0 nat (dmz) 1 192.168.2.0 255.255.255.0 static (dmz,outside) tcp interface www 192.168.2.XX www netmask

255.255.255.255
Reply to
Colin Cant
Loading thread data ...

UPDATES:

with following config applied:

static (dmz,inside) PUBLIC_IP PUBLIC_IP netmask 255.255.255.255

i get following log messages: #"portmap translation creation failed for tcp src inside: 192.168.3.XY/xxx dst dmz:PUBLIC_IP/80" the funny thing is, that within the log file i see the source IP of the PUBLIC_IP, but no destination.... now without the "static" config the log entry looks like this: #"TCP access denied by ACL from 192.168.3.X/xxx to inside PUBLIC_IP/80" and the same, an empty destination field... even when i put the following acl's in place, i get that previous TCP denied message, i actually expected to see from witch ACL name the packet got denied/accepted..

access-list outside_access_in extended permit tcp any any range 1 65535 log access-list outside_access_in extended permit udp any any range 1 65535 log access-list outside_access_in extended permit ip any any log access-list outside_access_in extended permit icmp any any log

access-list outside_access_out extended permit tcp any any range 1 65535 log access-list outside_access_out extended permit udp any any range 1 65535 log access-list outside_access_out extended permit ip any any log access-list outside_access_out extended permit icmp any any log

access-list dmz_access_in extended permit tcp any any range 1 65535 log access-list dmz_access_in extended permit udp any any range 1 65535 log access-list dmz_access_in extended permit ip any any log access-list dmz_access_in extended permit icmp any any log

access-list dmz_access_out extended permit tcp any any range 1 65535 log access-list dmz_access_out extended permit udp any any range 1 65535 log access-list dmz_access_out extended permit ip any any log access-list dmz_access_out extended permit icmp any any log

access-list inside_access_in extended permit tcp any any range 1 65535 log access-list inside_access_in extended permit udp any any range 1 65535 log access-list inside_access_in extended permit ip any any log access-list inside_access_in extended permit icmp any any log

access-list inside_access_out extended permit tcp any any range 1 65535 log access-list inside_access_out extended permit udp any any range 1 65535 log access-list inside_access_out extended permit ip any any log access-list inside_access_out extended permit icmp any any log

access-group outside_access_in in interface outside access-group outside_access_out out interface outside

access-group dmz_access_in in interface dmz access-group dmz_access_out out interface dmz

access-group inside_access_in in interface inside access-group inside_access_out out interface inside

"Colin Cant" schrieb im Newsbeitrag news:498dcdfc$0$146$ snipped-for-privacy@newsspool.solnet.ch...

Reply to
Colin Cant

| Hi NG, | | i got following problem to solve: | | I got one single public ip address where by i PAT all my internal | 192.168.X.Y networks. | I got one DMZ interface using 192.168.2.X. | I got internal hosts as example 192.168.3.X. | | now with the following config, my hosts from the internal network as well as | the dmz hosts can get out to 0.0.0.0 without a problem. | | My current problem is, that i cannot connect from my internal 192.168.3.X | network via my outside PAT address on to services with are hostet in the DMZ | (192.168.2.X) | what is the correct "static" config for connecting from inside via PAT | address into my DMZ ? | | global (outside) 1 interface | nat (inside) 0 access-list inside_nat0_outbound | nat (inside) 1 0.0.0.0 0.0.0.0 | nat (dmz) 1 192.168.2.0 255.255.255.0 | static (dmz,outside) tcp interface www 192.168.2.XX www netmask | 255.255.255.255

Reply to
Morph

good guess, its indeed about dns.. thx i will have a look at it and try it.

formatting link

Reply to
Colin Cant

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.