We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now! Here is Why:

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • Try for Just $1. The Best Dollar You've Ever Spent on Your Cisco Career!
  • Full Access to our 568 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)


323 New Members signed up the last 30 days!


100% Satisfaction Guaranteed!
You may cancel your monthly membership at any time.
No Questions Asked!

Tags: ,

Forum Replies

  1. Hi Rene,

    I dont know exactly what topic to place this question in thats why i am placing it here
    i got an opportunity for 3 days to work under a CCIE who was very rude and did not bother to ask him any questions as i knew he was not interested in explaining

    i was able to understand all bits till core SW through knowledge of your tutorials on VLAN and routing ,However cannot understand few bits in design at this point

    They got a public IP block from ISP lets say 30 host count

    Now the way the IP are assigned is as - => ISP router LAN interface connecting to my ASA
    - => Outside interface of my ASA

    Then there is CORE-SW- with different and server VLAN and few servers connected to server-vlan and require public access to them (web and email)[no-dmz].

    For the purpose hiding internal IP-scheme NAT is configured at ASA pointing to server as follows ===NAT===>> ....

    So after all this lines my Question WHICH INTERFACE THIS IP - - is assigned ,Where does this IP reside

    -Do this IP remain in company network

    please explain -As i know no one can expalain better than you in simple way


    Thanks in ADVANCE

  2. @Asi

    When you configure an IP address on the ASA then your ASA will know which IP addresses belong to the subnet. For example, let's say you have subnet

    Once you configure on the outside interface, your ASA knows that this is a subnet with 30 addresses. You can use any of the addresses in this subnet for NAT and you don't have to configure these addresses on the interface. Just make sure that it's not in use...


    You could use object groups to "bundle" multiple network objects. You could also configure a bigger subnet range in the network object.


  3. So, I have an odd situation.

    I have a traditional 3-legged set up with my ASA 5505, running 9.2, with security plus license.

    Following your design, the inside is the 1 network, dmz is the 3 network and outside is the 2 network. I have an additional host beyond that is

    I am just doing what is apparently a traditional PAT, which works from the inside, but not from the outside. I see the icmp requests going out from dmz, but no reply. Because of the security level, does that require something else?

    Here is some of the relevant code:

    ASA5505# sh run object
    object network inside
    object network dmz
    ASA5505# sh run nat
    nat (dmz,outside) source dynamic any interface
    object network inside
     nat (inside,outside) dynamic interface
    object network dmz
     nat (dmz,outside) dynamic interface

    My host at can ping its gateway at on the asa.
    Inside hosts can ping all hops from gateway to outside to remote host

    I have no other acls.

  4. So, after wiping out my ASA 5505 configuration and starting over, with the same nat rules as above, and also playing with ACLs like this:

    access-list dmz-out extended deny ip object dmz object inside
    access-list dmz-out extended permit ip object dmz any4

    I've come to some conclusions.
    1. the deny line above was used to prevent the dmz traffic to inside (worked)
    2. that nat, xlate were there.
    3. that icmp is not allowed out from dmz
    4. that ssh, and other protocols are allowed out without any ACL, just based on nat.

     174: 15:28:50.809345       802.1Q vlan#4 P0 > F 731092586:731092586(0) ack 902071277 win 32832 <nop,nop,timestamp 3218242 3220456>
     175: 15:28:50.819888       802.1Q vlan#4 P0 > . ack 731092586 win 32780 <nop,nop,timestamp 3220468 3218241>
     176: 15:28:50.819919       802.1Q vlan#4 P0 > F 902071277:902071277(0) ack 731092586 win 32832 <nop,nop,timestamp 3220471 3218241>
     177: 15:28:50.822009       802.1Q vlan#4 P0 > F 731092586:731092586(0) ack 902071278 win 32831 <nop,nop,timestamp 3218258 3220471>
     178: 15:28:50.823535       802.1Q vlan#4 P0 > . ack 731092587 win 32831 <nop,nop,timestamp 3220480 3218258>
     179: 15:28:59.991739       802.1Q vlan#4 P0 > S 3651934508:3651934508(0) win 65535 <mss 1460,nop,wscale 1,nop,nop,timestamp 3227424 0,sackOK,eol>
     180: 15:28:59.993524       802.1Q vlan#4 P0 > S 2606032245:2606032245(0) ack 3651934509 win 65535 <mss 1380,nop,wscale 1,nop,nop,timestamp 3229649 3227424,sackOK,eol>
     181: 15:28:59.996255       802.1Q vlan#4 P0 > . ack 2606032246 win 32832 <nop,nop,timestamp 3227428 3229649>

    So, in conclusion, it all works just fine. Its likely a limitation or "security feature" of the 5505, but not because of the security-level on the dmz interface (security-level 50).

  5. Hello Ryan.

    Thanks for sharing that valuable information from your experience!


7 more replies! Ask a question or join the discussion by visiting our Community Forum