Hot Downloads



The forum is in read only mode.
Welcome, Guest
Username: Password: Remember me
  • Page:
  • 1

TOPIC: Could someone have a look at my config?.... (ASA-5505)

Could someone have a look at my config?.... (ASA-5505) 7 years 8 months ago #36877


This is my first post here, but ive managed to learn a fair amount from reading through this site, so thought id join and ask my question...

Ive been given an ASA5505 to configure for our SOHO environment, which i currently have setup on my test bench.

We're going for a Inside/Outside/DMZ layout, and i believe ive got the basics of the setup in place, the only thing thats not quite there is redirecting the public ip to the dmz host, for inside/outside users so im wondering if some kind soul could have a quick glance at my config and give any pointers.

I can reach the dmz from the inside and i can reach outside from both the inside and dmz, so thats about as far as ive got :(

Layout is as follows;

[code:1] +--> INSIDE
NET <--> RTR <--> ASA5505 <--+--> INSIDE
| +--> INSIDE
ASA5505 =,,
INSIDE =[/code:1]

Config is over at to save filling this post up.

Re: Could someone have a look at my config?.... (ASA-5505) 7 years 8 months ago #36878

  • r0nni3
  • r0nni3's Avatar
  • Offline
  • Distinguished Member
  • Distinguished Member
  • Posts: 107
  • Thank you received: 0
Hey Daemonic,

Welcome to

Do you mean you want to connect from the inside netwerk to the DMZ using the external IP adres of the outside interface ?
If this is the case it is never going to work. You can't connect (actually you can but its easier not to) from the inside network to your own outside IP adresses.
To connect to your DMZ you have to use the internal IP adresses of the DMZ (by either using NAT or NAT0). If your connecting to the DMZ using hostnames I suggest you use static NAT translations with the DNS keyword at the end. This enables something called "DNS doctoring". It rewrites the destination of the outside IP adres to the DMZ IP adres of the host your connecting to.
You can only use DNS doctoring with 1-on-1 NAT. So dont try to use it with PAT.
Also I suggest using NAT0 for your internal networks.

access-list no_nat permit ip[/code:1]
this defines the traffic you want to use NAT0 for.

no global (dmz) 1 interface
nat (inside) 0 access-list no_nat[/code:1]
this removes the use of NAT between internal networks and enables NAT0

static (dmz,outside) dns[/code:1]
This is the static translation to map an external IP adres to a DMZ host. When you connect using DNS the ASA will now rewrite the destinatioin from to making it possible to use the same DNS record for internal and external use.

access-list outside_in permit tcp any host eq 80
access-group outside_in in interface outside[/code:1]
this allows access to the host from the internet.

I hope this helps
Currently working as Cisco Engineer at Neon-Networking.

CCNA - Have it
CCNA Security - Have it
CCSP - Almost!!!!
CCIE Security - Not so far away dream

Re: Could someone have a look at my config?.... (ASA-5505) 7 years 8 months ago #36881


thanks for the pointers, and yes, ultimately, i do want to connect to the dmz using the external ip which is detailed in Chapter 6 of just im getting a little lost with their examples (a - because the images dont match the text for the networks, and b) its for an older version of asa/asdm)

Im wondering if anyone can give me the commands to use to recreate that example ? (either cli or asdm)

Perhaps there is a newer guide of the above pdf?
  • Page:
  • 1
Time to create page: 0.151 seconds


Cisco Routers

  • SSL WebVPN
  • Securing Routers
  • Policy Based Routing
  • Router on-a-Stick

VPN Security

  • Understand DMVPN
  • GRE/IPSec Configuration
  • Site-to-Site IPSec VPN
  • IPSec Modes

Cisco Help

  • VPN Client Windows 8
  • VPN Client Windows 7
  • CCP Display Problem
  • Cisco Support App.

Windows 2012

  • New Features
  • Licensing
  • Hyper-V / VDI
  • Install Hyper-V


  • File Permissions
  • Webmin
  • Groups - Users
  • Samba Setup