Solved: Cisco ASA dmz to outside NAT addresses?

chrismes · ‎03-13-2024

We've an internet-proxy in DMZ which can connect to internet.
But it does not work when trying to connect from inside to our own webservers, which are located in DMZ, but of course have NAT-addresses in the outside ip-range, where also the proxy has its NAT-address.
When capturing traffic on the proxy, I can see the SYN-packets to the outside-address of the webservers.
But there is no SYN-ACK.
But it does not help, to configure access-rule allowing connection from dmz to outside-subnet.
I can only solve this, when setting our own domain to "direct" in the proxy.pac, so connection from our inside to our webservers are not using the proxy.
I can live with this solution, but I'd like to understand the behaviour of ASA when connection are made from dmz to its own outside-subnet.

chrismes · ‎03-16-2024

Thanks for reply.
I've found a community topic saying ASA does not allow traffic which is coming from DMZ, NATed and going back to DMZ.
This might be correct.
So I've decided to bypass proxy for our webservers.

View solution in original post

MHM Cisco World · ‎03-13-2024

Let divide issue into two

First are ASA redirecr http client request into proxy server ? I Think you need to use WCCP in ASA

https://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/116046-config-wccp-asa-00.html

Second the traffic is only SYN (assume that first point is OK) check

Show conn long host x.x.x.x

Show conn detail host x.x.x.x

Check the egress and ingress interface is correct

Check the IP is correct NAT.

MHM

chrismes · ‎03-16-2024

Thanks for reply.
I've found a community topic saying ASA does not allow traffic which is coming from DMZ, NATed and going back to DMZ.
This might be correct.
So I've decided to bypass proxy for our webservers.