topic Re: ASA 5520 problems with alias, static and nat in Network Security

ASA 5520 problems with alias, static and nat

networkingib — Mon, 11 Mar 2019 09:10:34 GMT

Hi all,

I have three networks, inside (security 100), dmz (security 50) and outside (security 0).

And I have a static nat to permit access from outside to a web server in dmz

static (dmz,outside) Public_IP DMZ_WEB_SERVER_IP netmask 255.255.255.255

I have configured de access-list to permit all and:

I can do ping from inside to the web server?s dmz_ip.

I can do from any external IP to the web server?s public_ip

But I can?t do ping from inside to the web server?s public_ip

So, I have try with alias:

alias (inside) Public_IP DMZ_WEB_SERVER_IP 255.255.255.255

And then I can do ping from inside to the web server?s public_ip

I can do from any external IP to the web server?s public_ip

But I can?t do ping from inside to the web server?s dmz_ip

I have try whit static too:

static (dmz,inside) Public_IP DMZ_WEB_SERVER_IP netmask 255.255.255.255

But the result is the same than with alias. Any idea?

Regards,

Fernando.

Re: ASA 5520 problems with alias, static and nat

a.kiprawih — Tue, 19 Dec 2006 11:10:12 GMT

Your config looks ok. BTW, are you configuring this with or without DNS around, i.e with external DNS?

IF you already tried (but unsuccessful) with the following commands (in pair):

static (dmz,outside) Public_IP DMZ_WEB_SERVER_IP netmask 255.255.255.255

alias(inside) Public_IP DMZ_WEB_SERVER_IP 255.255.255.255

Then, for testing purposes only, try to map inside & DMZ using static:

static (inside,dmz) inside_subnet inside_subnett netmask inside_netmask

i.e:

static (inside,dmz) 10.1.1.0 10.1.1.0 netmask 255.255.255.0

*where 10.1.1.0 is your inside segment (/24)

Try to ping/access DMZ_WEB_SERVER_IP with its actual IP from inside. Make sure if you have ACL on the Inside interface, allow www access to the DMZ web server.

Example - look under "Translate a DMZ Address with Destination NAT:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094aee.shtml

Re: ASA 5520 problems with alias, static and nat

networkingib — Wed, 20 Dec 2006 12:36:54 GMT

The DNS is an external DNS in internet.

#Then, for testing purposes only, try to map inside & DMZ using static:

#static (inside,dmz) inside_subnet inside_subnett netmask inside_netmask

I did it before open this post and with it done inside network is available to comunicate with dmz network but then I can't connect from inside network to the Public_IP

I would like to be able to connect to the DMZ_WEB_SERVER trough the internal IP and the DNS name, for example www.realwebserver.com.

I have been looking for a solution in a lot of web sites but I don't have find nothing that confirm if it is possible or not.

Do you know it?

Regards and thanks for your post.

Re: ASA 5520 problems with alias, static and nat

a.kiprawih — Sat, 23 Dec 2006 03:02:40 GMT

Not that I know, except that the above Cisco link (look under Translate a DMZ Address with Destination NAT) provide config guide for Inside hosts accessing DMZ's webserver via it's internet name (combination of alias & static).