topic Re: access dmz server from inside using public ip in Network Security

access dmz server from inside using public ip

mjsully — Mon, 11 Mar 2019 16:48:37 GMT

I've got an ASA firewall with three active interfaces on it, an inside, outside, and DMZ. In the DMZ I have my servers. Each has a static mapping to an outside ip address in the form of a static (dmz,outside) x.x.x.x x.x.x.x

I have an internal app on the inside network that needs to verify the DMZ servers are accesible and listening on their appropriate services (i.e web site is accessible on web server). The inside app needs to access the DMZ server using the public ip, not its actual DMZ network address. Do I need to do anything special on the ASA to get this to work? Currently the only NAT I have configured on box is the DMZ, outside mappings, along with the inside network getting PAT'd to outside interface address for internet bound traffic. Thanks

Re: access dmz server from inside using public ip

keisikka — Tue, 15 Dec 2009 01:55:20 GMT

Hello mjsully,

Maybe the link can help you.

https://supportforums.cisco.com/message/1330220#1330220

THX

Keisikka

Re: access dmz server from inside using public ip

Kureli Sankar — Tue, 15 Dec 2009 02:30:42 GMT

Yes, you need D-NAT (Destination NAT).

That thread may be little hard to follow.

In your case you need the following:

staic (dmz,inside) p.p.p.p d.d.d.d

Where p.p.p.p is the public address and d.d.d.d is the dmz ip address for this server that the inside hosts need access to. That staic says that if the inside interface sees a packet destined to p.p.p.p it is supposed to forward it to the dmz interface to the d.d.d.d ip address.

Do you have source translation for the inside network to get to the DMZ?

like identity translation?

static (i,d) i.i.i.i i.i.i.i where inside address is i.i.i.i

Good Luck.

-KS