topic That's how it works on the in Network Security

Cannot access external IP from inside network

Matt Roberts — Tue, 12 Mar 2019 07:13:03 GMT

I cannot access our servers external IP from our internal networks. I can access the servers DMZ address but not the external. Any ideas?

That's how it works on the

Karsten Iwen — Fri, 29 Jan 2016 18:39:13 GMT

That's how it works on the ASA. Do you have a public IP per server that you translate to your internal host? Then DNS-doctoring is the easiest solution:

object network SERVER
 host 10.10.10.10
 nat (DMZ,outside) static 192.0.2.10 dns

I enabled that but still can

Matt Roberts — Fri, 29 Jan 2016 18:57:17 GMT

I enabled that but still can't ping the external IP.

wasn't clear enough on that .

Karsten Iwen — Sat, 30 Jan 2016 00:40:13 GMT

wasn't clear enough on that ...

The purpose of DNS-doctoring is not to reach the public IP. But now you can reach the internal host with the public FQDN that is assigned to the public IP.

Actually, just to clarify

Marius Gunnerud — Sun, 31 Jan 2016 01:21:32 GMT

Actually, just to clarify what Karsten has said. the DNS request needs to pass through the ASA for DNS doctoring / re-write to work. If your PC is on the same subnet as the DNS server, DNS doctoring will not work. In this case you will need to do twice NAT to make this work or add a new DNS A record for the internal IP of the server. Assuming that the server is located on the same subnet as the PC you are trying to reach it from you could configure NAT as follows (lets assume that the interface is called "inside"):

object network SERVER_PRIVATE

host 10.1.1.10

object network LAN

subnet 10.1.1.0 255.255.255.0

object network SERVER_PUBLIC

host 195.16.16.16

nat (inside,inside) source static LAN LAN destination static SERVER_PRIVATE SERVER_PUBLIC

same-security-traffic permit intra-interface

Please remember to select a correct answer and rate helpful posts