I have a web server sits behind an ASA5505, lets say it has the ip 10.0.1.10
I have configured a NAT rule to forward port 80 from the outside interface , for example 188.8.131.52 to this server. it works flawlessly.
However I have observed if I have a pc on the same subnet as this web server, lets say the PC has the ip of 10.0.1.20, it seems the PC wont be connect to the web server if I type in http://184.108.40.206. http://10.0.1.10 works without any issue.
Now I'm curious can I make the PC be able to access the web server's external address if it resides on the same subnet as the server?
Yes this is possible.
Take a look on this link on section 1 and section 2: https://community.cisco.com/t5/security-documents/dns-doctoring-and-u-turning-on-the-asa-quot-when-and-how-to-use/ta-p/3153693
Section 1 is for DNS-Doctoring (if users are getting DNS resolution from an external DNS) and Section 2 without DNS-Doctoring.
Thanks for the information but it seems I'm not allowed to section the "Translate the DNS reply for rules" checkbox which is somehow required to make DNS-Doctoring work. Is there something to do with my NAT?
since you can not use the DNS. the other solution could be something like this.
object network HOST-OUT
nat (WAN,Lab_Outside_Gateway) static 10.0.1.21
access-list OUT-IN extended permit tcp any host 10.0.1.21 eq 80
access-group OUT-IN in interface outside
if this fulfill your purpose and something you look like this. in that case from your Lab_Outside_Gateway pc and http://220.127.116.11. once this rule is place you can not http 10.0.1.21.
You have to reserve this IP address 10.0.1.21 for the use to this server binded to 18.104.22.168. howerver,
having said that this can be useful if you have a spare public ip address.
Thanks for the NAT tip. However my 22.214.171.124 public IP actually comes from DHCP from ISP. I do not have a static IP at the moment
In this case, Can I bind the host to the outside interface instead of 126.96.36.199 for the NAT rule to work?
I think i know what you want. might i can help you. but it will be a different approach.
first of all you tell me. if you sitting inside your network why you want to use the public ip address to access the server. you can easily use the private RFC 1918 addresses. having said that, in your mind you have some thing like this. you want to access this http://54.x.x.x from outside at internet if you not at home or you some where in another country so your server is always access able to you regards if the address from dhcp change.
if you answer this i can guide you.
Static NAT is used whenever an outside user would like to access a server that sits in your internal network. In this case, traffic traversing from WAN to Lab_Outside_Gateway.
For example, someone on the internet is trying to access the web server by HTTP://188.8.131.52. The packet arrives at the ASA and matches the NAT rule, the packet then translated into the private address and forwarded via the correct interface.
I understand that your question is how to use the public IP when accessing from the internal network. Can't you use the private IP when accessing from inside?
However in your case the traffic
Hi, I can use the private IP to access the web server without any issue. It's just being able to access the web server's public address is also required so now I'm still frustrated.
On a side note, Accessing the web server's public address from the internet also works.
Now the culprit being this flow :
Inside =======> outside
Inside <============== "
doesn't seem to work.
if i understand you topology which you draw you should be able to get connected to your web server from internet
type the address http://54.55.x.x
or do a packet tracer and past the result here
packet tracer input WAN tcp 184.108.40.206 123 10.0.1.10 80 detail
also give us show run access-list