Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1157
Views
0
Helpful
7
Replies

Access NAT rules on the outside from a DMZ

Rui Taveira
Level 1
Level 1

‎05-11-2011 05:11 AM - edited ‎03-11-2019 01:31 PM

Hi,

I have a server "published" to the outside interface with a static NAT.

I've set up a DMZ, and I need it to access that "published" server through it's translated address.

The DMZ has a dynamic NAT rule, using the outside interface IP address.

My access rule for the "published" server is something like:

access-list outside_access_in extended permit tcp any host xxx.xxx.xxx.xxx object-group HTTP-S

xxx.xxx.xxx.xxx is the translated address, and HTTP-S is an object formed by the http and https protocols.

The DMZ has the default access-rules (access-list wireless-guest_access_in extended permit ip any any).

Can anyone help me with this?

Best regards.

Labels:
0 Helpful
7 Replies 7

varrao
Level 10
Level 10

‎05-11-2011 05:35 AM

Hi,

You might need to add another static command:

static (inside,dmz)  

It should work after that.

Let me know if this work.

Thanks,

Varun

Thanks,
Varun Rao
0 Helpful

Rui Taveira
Level 1
Level 1
In response to varrao

‎05-11-2011 06:05 AM

Thanks for the help, but it doesn't work.

Any other suggestion?

I forgot to mention that the device is an ASA 5520, running 8.2(3).

0 Helpful

varrao
Level 10
Level 10
In response to varrao

‎05-11-2011 06:32 AM

Hi,

Please provide me the following outputs:

show run nameif

show run nat

show run global

show run static

show run access-list

Thanks,

Varun

Thanks,
Varun Rao
0 Helpful

Rui Taveira
Level 1
Level 1
In response to varrao

‎05-11-2011 06:40 AM

Thanks again for trying to help.

Basicaly, I need that everyone behind the interface "wireless-guest" to access a server on the "inside" interface (xxx.xxx.xxx.xxx), through it's translated address (xxx.xxx.xxx.xxx).

As requested, here is the relevant information:

EDIT: Config ommited.

0 Helpful

varrao
Level 10
Level 10

‎05-11-2011 07:07 AM

Hi Rui,

Here's your answer:

static (inside,wireless-guest) 172.16.1.193 212.55.141.25

access-list wireless_access extended permit tcp any host 212.55.141.25

access-group  wireless_access in interface wireless-guest

Let me know if this works for you.

Thanks,

Varun

Thanks,
Varun Rao
0 Helpful

Rui Taveira
Level 1
Level 1
In response to varrao

‎05-11-2011 07:52 AM

That didn't work also.

But I seem to have "fixed" it.

What I did was create a static NAT between the wireless-guest and inside, activated DNS Rewrite on both rules (inside,outside) and (inside,wireless-guest) and turned DNS inspection on.

Thanks for all the help.

0 Helpful

varrao
Level 10
Level 10
In response to Rui Taveira

‎05-11-2011 11:37 AM

Hi Rui,

Great work..... I was not aware of ther dns configuration, but great job.

Thanks,

Varun

Thanks,
Varun Rao
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card