Webserver and NAT (can access from outside, not inside)

James Sheridan — Tue, 12 Mar 2019 01:23:40 GMT

I have a 5515-X ASA and we are working on setting up a webserver that whould be accessible from the outside as weel as the inside.

The NAT rule allowing the webserver that is located on an internal LAN to be successful when accessing from the outside.

Now when I try to access the server from a system on the internal LAN i am unable to do so unless i use the internal address.

Not the end of the world right now as we are only in production, but it would be nice to only have to worry about the public IP as it is registered with DNS so.

here is the nat rule

nat (outside,inside) 1 source static any any destination static Webserver-Public Webserver-Private service https https

Thanks for any assistance.

Re: Webserver and NAT (can access from outside, not inside)

Jouni Forss — Thu, 04 Apr 2013 17:09:45 GMT

Hi,

If you want both

Static NAT the Server local IP to a Public IP

AND

NAT the Server so that it can be reached from the LAN with the public IP address

Then you could use the following types of configurations

Static NAT from LAN to WAN

object network SERVER-STATIC

host 10.0.0.200

nat (LAN,WAN) static 1.2.3.4

Where

10.0.0.200 = Server local IP address
1.2.3.4 = Public IP address dedicated for this server
LAN and WAN = Inside and Outside interfaces

Dynamic Policy PAT coupled with the Static NAT (Twice NAT) for the Server for LAN users

object network LAN

subnet 10.0.0.0 255.255.255.0

object network SERVER-LOCAL

host 10.0.0.200

object network SERVER-GLOBAL

host 1.2.3.4

nat (LAN,LAN) source dynamic LAN interface destination static SERVER-GLOBAL SERVER-LOCAL

Where

10.0.0.0/24 = Is the LAN network
10.0.0.200 = Is the server local IP address
1.2.3.4 = Is the server public IP address

The first NAT configuration is a simple Static NAT using "Network Object NAT" and its only purpose is to NAT the server local IP address to a public IP address for users on the Internet.

The second NAT configuration is a Dynamic Policy PAT with also the Static NAT done with a Twice NAT / Manual NAT configuration.

The way it works is that when the ASA sees a connection coming from the network LAN to the Public IP address then it will PAT the LAN users to the interface LAN IP address and it will also UN-NAT the public IP address to the local IP address of the server. This will enable you to connect to the server using the public IP address even from the LAN.

Hope I made any sense. Please do ask more if I didnt

Hope this helps

- Jouni

topic Webserver and NAT (can access from outside, not inside) in Network Security

Webserver and NAT (can access from outside, not inside)

Re: Webserver and NAT (can access from outside, not inside)