I see that you have 1 internal, 1 outside, and 1 DMZ. I have a setup very similar to this, except our DMZ is just another public stub subnet separate from our outside (different VLAN, different public subnet) off of the same ASA 5505. Our outside is a group of public IPs that we PAT individually to inside hosts.

My question is on our internal, we're using PAT, and I can access our "DMZ" but our DMZ hosts can't access our outside hosts that are PATed to the inside. What am I a missing?

Thanks!

@bjashnby

It sounds like you want to go from the DMZ to the Inside segment. Did you upgrade your license to "security plus"? The base license on an ASA5505 doesn't allow you to go from DMZ to inside. You can go from Inside to DMZ. Inside to Outside. Outside to DMZ and Outside to inside. But not from DMZ to Inside. The security plus license removes this restriction.

Regards,

CSO.

We do have the Security Plus license. We have existing PATs from Outside to Inside already in place, but for consistency, we would like our "DMZ" hosts to access our inside hosts through the addresses setup on the Outside interface. Can this even be done, or do you have to go directly from DMZ to Inside?

Thanks for the help and I love the videos!

@bjashnby

Not sure if this should work. Never tried to do that before. I would have just gone from DMZ to inside. Can you show me the NAT/PAT statements you are using?

CSO

How would PAT work in the case of there only being 1 external IP and multiple boxes on the inside maybe using the same ports at times?

@Anisylum

Each internal IP would use the same translated public IP and a unique port number as their source. There are 65,535 ports. So in theory, you could translate 65,535 internal IPs to 1 public IP using PAT.

If you need to translate more than 65,535 internal hosts. You can add another IP to the PAT pool and then translate 131,070 internal IPs to 2 public IPs. And keep adding new IPs to the PAT pool as needed.

CSO

@Anisylum

I think I just understood your original question. You can't translate two different internal users to the same external source port using PAT. They can have the same source port on the private side. But if you're PATing to 1 public IP. They would each be assigned a difference translated public source port.

If you need the same source port on the public side. You can't use straight PAT. You'll have to look at other options for translation.

Hope that answers your question.

CSO

thanks for the labs!

Thanks so much, this helped me a lot!

@yenzenz

Thanks for the feed back. Glad to help.

Thanks mate. Appreciate the feedback.