https://community.cisco.com/t5/network-security/static-nat-issue/m-p/2215944#M350029 <HTML><HEAD></HEAD><BODY><P>Hi Jouni,</P><P></P><P>Thanks, both options are good and its working for me.</P><P></P><P>Regards,</P><P></P><P>Rajesh</P></BODY></HTML> Fri, 17 May 2013 05:31:53 GMT integrixSS 2013-05-17T05:31:53Z https://community.cisco.com/t5/network-security/static-nat-issue/m-p/2215938#M350023 <P>Dear Team,</P><P></P><P>I am not able to access the web server with its public ip address when we want to access it from our local network.But there are no issue with the public network.I have configured the below mentioned configuration in the firewall:-</P><P></P><P>ASA5585</P><P>IOS ver 8.4(4)</P><P></P><P></P><P>object network local1</P><P> host 192.168.250.5</P><P> nat (inside,outside) static 117.239.93.250</P><P></P><P>object network local</P><P> subnet 192.168.250.0 255.255.255.0</P><P></P><P> nat (inside,outside) dynamic interface</P><P></P><P></P><P>access-list out extended permit tcp any host 117.239.93.250 eq www </P><P></P><P></P><P>access-group out in interface outside</P><P></P><P>Please suggest does ASA support to access the webserver with its public IP address from our local network or not.</P><P></P><P>Regards,</P><P>Sandeep</P> Tue, 12 Mar 2019 01:42:21 GMT https://community.cisco.com/t5/network-security/static-nat-issue/m-p/2215938#M350023 integrixSS 2019-03-12T01:42:21Z https://community.cisco.com/t5/network-security/static-nat-issue/m-p/2215939#M350024 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Atleast with the above ACL the connection even from the "outside" networks shouldnt work as you are using the public NAT IP in the ACL. You should use the local IP address.</P><P></P><P>You will have to play around with the NAT on the ASA to enable the use of the public IP address directly from the LAN network</P><P></P><P>You could try something like this</P><P></P><P></P><P><STRONG>object-group network WEB-SERVER-LAN-SOURCE</STRONG></P><P><STRONG> network-object 192.168.250.0 255.255.255.0</STRONG></P><P></P><P><STRONG>object network WEB-SERVER-PUBLIC</STRONG></P><P><STRONG> host 117.239.93.250</STRONG></P><P></P><P><STRONG>object network WEB-SERVER-LOCAL</STRONG></P><P><STRONG> host 192.168.250.5</STRONG></P><P></P><P><STRONG>nat (inside,inside) 1 source dynamic WEB-SERVER-LAN-SOURCE interface destination static WEB-SERVER-PUBLIC WEB-SERVER-LOCAL</STRONG></P><P></P><P><STRONG>same-security-traffic permit intra-interface</STRONG></P><P></P><P></P><P>Naturally the final configuration could look different depending on the whole setup. If there are for example more LAN networks that need to access the public IP address.</P><P></P><P>Hope this helps <SPAN __jive_emoticon_name="happy" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/4.5.4/images/emoticons/happy.gif"></SPAN></P><P></P><P>Please remember to mark the reply as the correct answer if it answered your question. And/or rate helpfull answers.</P><P></P><P>Or ask more if needed</P><P></P><P>- Jouni</P></BODY></HTML> Mon, 13 May 2013 08:49:51 GMT https://community.cisco.com/t5/network-security/static-nat-issue/m-p/2215939#M350024 Jouni Forss 2013-05-13T08:49:51Z https://community.cisco.com/t5/network-security/static-nat-issue/m-p/2215940#M350025 <HTML><HEAD></HEAD><BODY><P>Dear Jouni,</P><P></P><P>Thanks, its working for me.I just enter the below mentioned configuration as you suggested but I did not change access-list</P><P></P><P id="yui_3_7_2_1_1368420354796_65020" style="color: #000000; font-family: 'times new roman', 'new york', times, serif; font-size: 16px;">object network Local_network</P><P id="yui_3_7_2_1_1368420354796_65026" style="color: #000000; font-family: 'times new roman', 'new york', times, serif; font-size: 16px;"> subnet 192.168.250.0 255.255.255.0</P><P id="yui_3_7_2_1_1368420354796_65027" style="color: #000000; font-family: 'times new roman', 'new york', times, serif; font-size: 16px;">exit</P><P id="yui_3_7_2_1_1368420354796_65028" style="color: #000000; font-family: 'times new roman', 'new york', times, serif; font-size: 16px;">object network Ereturn_Local</P><P id="yui_3_7_2_1_1368420354796_65029" style="color: #000000; font-family: 'times new roman', 'new york', times, serif; font-size: 16px;"> host&nbsp; 192.168.250.5</P><P id="yui_3_7_2_1_1368420354796_65030" style="color: #000000; font-family: 'times new roman', 'new york', times, serif; font-size: 16px;">exit</P><P id="yui_3_7_2_1_1368420354796_65059"></P><P id="yui_3_7_2_1_1368420354796_65031" style="color: #000000; font-family: 'times new roman', 'new york', times, serif; font-size: 16px;">object network Ereturn_Public</P><P id="yui_3_7_2_1_1368420354796_65060" style="color: #000000; font-family: 'times new roman', 'new york', times, serif; font-size: 16px;"> host 117.239.93.146</P><P id="yui_3_7_2_1_1368420354796_65582" style="color: #000000; font-family: 'times new roman', 'new york', times, serif; font-size: 16px;">exit</P><P id="yui_3_7_2_1_1368420354796_65032"></P><P id="yui_3_7_2_1_1368420354796_65034"></P><DIV id="yui_3_7_2_1_1368420354796_65033">nat (inside,inside) source dynamic Local_network interface destination static Ereturn_Public Ereturn_Local<P></P></DIV><P> Please also suggest if I have one more lan interface(.ie DMZ), then what command I have to assign to access the webserver with public IP address form DMZ Lan network.</P><P></P><P>Regards,</P><P>Rajesh</P></BODY></HTML> Mon, 13 May 2013 10:41:46 GMT https://community.cisco.com/t5/network-security/static-nat-issue/m-p/2215940#M350025 integrixSS 2013-05-13T10:41:46Z https://community.cisco.com/t5/network-security/static-nat-issue/m-p/2215941#M350026 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>With regarding the traffic to the web server from another interface we would have to first know does ANY host on the DMZ have the need to communicate with the server with its local/private IP address?</P><P></P><P>If not then the configuration should be simple (and I can provide it after the above situation is confirmed either way)</P><P></P><P>If the server needs to be reached with local IP address also then the configuration might be slightly more complicated or in some cases even impossible.</P><P></P><P>Let me know the answer to the above and we will look at the configuration needed.</P><P></P><P>- Jouni</P></BODY></HTML> Mon, 13 May 2013 12:31:05 GMT https://community.cisco.com/t5/network-security/static-nat-issue/m-p/2215941#M350026 Jouni Forss 2013-05-13T12:31:05Z https://community.cisco.com/t5/network-security/static-nat-issue/m-p/2215942#M350027 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>We have one subnet (192.168.200.0/24) in DMZ which needs to communicate with the web server with public IP address.</P><P></P><P>Regards,</P><P>Rajesh</P></BODY></HTML> Mon, 13 May 2013 12:37:35 GMT https://community.cisco.com/t5/network-security/static-nat-issue/m-p/2215942#M350027 integrixSS 2013-05-13T12:37:35Z https://community.cisco.com/t5/network-security/static-nat-issue/m-p/2215943#M350028 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Well if the DMZ does not have any need to contact the Web server with its local IP address then you can use this configuration</P><P></P><P><STRONG>object network DMZ<BR /></STRONG></P><P><STRONG>&nbsp; subnet 192.168.200.0 255.255.255.0</STRONG></P><P></P><P><STRONG>object network WEB-SERVER-PUBLIC</STRONG></P><P><STRONG> host 117.239.93.250</STRONG></P><P></P><P><STRONG>object network WEB-SERVER-LOCAL</STRONG></P><P><STRONG> host 192.168.250.5</STRONG></P><P></P><P><STRONG>nat (inside,dmz) 2 source static WEB-SERVER-LOCAL WEB-SERVER-PUBLIC destination static DMZ DMZ<BR /></STRONG></P><P></P><P></P><P></P><P>Or you might be able to configure it as easily as by configuring the following</P><P></P><P><STRONG>object network WEB-SERVER</STRONG></P><P><STRONG> host 192.168.250.5</STRONG></P><P><STRONG> nat (inside,dmz) static 117.239.93.250</STRONG></P><P></P><P>Let us know does it work or not.</P><P></P><P>And again remember to mark replys as correct if they answered the question and/or rate helpfull answers <SPAN __jive_emoticon_name="happy" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/4.5.4/images/emoticons/happy.gif"></SPAN></P><P></P><P>- Jouni</P></BODY></HTML> Mon, 13 May 2013 12:47:33 GMT https://community.cisco.com/t5/network-security/static-nat-issue/m-p/2215943#M350028 Jouni Forss 2013-05-13T12:47:33Z https://community.cisco.com/t5/network-security/static-nat-issue/m-p/2215944#M350029 <HTML><HEAD></HEAD><BODY><P>Hi Jouni,</P><P></P><P>Thanks, both options are good and its working for me.</P><P></P><P>Regards,</P><P></P><P>Rajesh</P></BODY></HTML> Fri, 17 May 2013 05:31:53 GMT https://community.cisco.com/t5/network-security/static-nat-issue/m-p/2215944#M350029 integrixSS 2013-05-17T05:31:53Z