I know just enough of the Cisco CLI to make me dangerous. Here's the situation: I have an ASA5505 with DMZ (10.10.10.X) and Inside (192.168.0.X) Vlans. I'm running a couple servers on a block of outside IPs (1.2.3.X)
From Inside, I can't talk to my DMZ machines. I can talk to the Outside address which is then properly translated to the internal server (is this called hairpinning?) but I want to be able to talk to DMZ addresses directly.
A labor of love? 5th lord in the 11th house natal youtube.
What am I missing here? Thanks in advance for anyone who's willing to advise!
I have an ASA 5505 running v8.4. I have one static IP that my ISP gives me and I need to use that for my INSIDE network as well as my DMZ. This becomes a PAT issue as I need some ports to terminate in the DMZ, and some to terminate in the INSIDE interface.
(i know this is more than a year old, but hope it will be useful to others)
I think you have the ASA 5505 with Basic license. Fallout 4 welcome to boston video. The basic license only allow 2 full vlans and the third has to be restricted with this command 'no forward interface VlanX' and that is why you cannot remove it.
Read this from the Cisco help: Soul blade special moves.
With the Base license, you can only configure a third VLAN if you use this command to limit it.
Asa 5505 No Dmz Name If I M
For example, you have one VLAN assigned to the outside for Internet access, one VLAN assigned to an inside business network, and a third VLAN assigned to your home network. The home network does not need to access the business network, so you can use this option on the home VLAN; the business network can access the home network, but the home network cannot access the business network.
If you already have two VLAN interfaces configured with a name, be sure to configure this setting before setting the name on the third interface; the ASA does not allow three fully functioning VLAN interfaces with the Base license on the ASA 5505.
There are a couple of issues.
- ICMP is blocked by the ASA interface by default
- You cannot talk to a higher security-level interface from a lower security level interface.
Although this is for Cisco PIX, this link should still be of some use to you.
Asa 5505 No Dmz Name If You Have
If you configure 'same-security permit inter-interface' and have nat enabled on an interface than you must use nat between the interfaces of the same security-level. Add the following to your config:
access-list nat_inside_dmz extended permit ip 192.168.1.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list nat_dmz_inside extended permit ip 192.168.1.0 255.255.255.0 10.10.10.0 255.255.255.0
nat(inside) 0 access-list nat_inside_dmz
nat(dmz) 0 access-list nat_dmz_inside
same-security permit inter-interface
no static (inside, dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0