06-30-2013 03:28 AM - edited 03-11-2019 07:05 PM
Dear All,
One of our sever is natted to a public IP and it is accessible form the internet using the public IP.
Is there any way to access the server from the LAN using the Public IP.
Thanks in advance.
Regards,
Shijo.
Solved! Go to Solution.
06-30-2013 06:00 AM
Hi,
Ok, actually forgot to ask one more question but I'll give an example here.
So you probably have an Dynamic PAT rule on your firewall currently that might look something like this
global (Outside) 1 interface
nat (Inside) 1 10.1.1.0 255.255.255.0
Or something very similiar to the above.
What we need to do next is enable the following configuration
same-security-traffic permit intra-interface
You can check if it has been enabled already with the below command
show run same-security-traffic
What the first command I mention will do is enable traffic to enter and leave the same interface on the ASA. Without this command the connection would fail.
Now, next we will need a translation that might look a bit wierd. We will need to translate the "Inside" server towards the "Inside" interface to the public IP address.
static (Inside,Inside) 89.xxx.xxx.248 10.1.1.xxx netmask 255.255.255.255
This will enable the users to reach the public IP address from behind the "Inside" interface with the public IP address. You probably have a similiar "static" configuration for the server already but for "Inside" to "Outside" and that will only work for hosts that are connecting from the Internet, NOT from the "Inside" of your firewall.
Finally, we will need another NAT rule that might look wierd
global (Inside) 1 interface
What this will do is do Dynamic PAT for the users behind "Inside" when they are connecting to the public IP address for which we did the "Inside" to "Inside" NAT configuration. If we did not add this configuration the connection wouldnt go through correctly.
Essentially what will happen after this when the "Inside" host connects to the public IP address is the following
Hope this helps
Please do remember to mark the reply as the correct answer if it answered your question.
Naturally ask more if needed.
- Jouni
06-30-2013 04:20 AM
Hi,
You left out crucial parts of information.
It should be possible but we need additional information to give you an answer
- Jouni
06-30-2013 05:15 AM
Hi Jouni,
Thanks for the information.
Please find the required information below.
1) What is your firewall software level?
ASA 8.0(2)
2) What are the interface names? -
Inside & Outside
3) What are the IP addresses? (even if changed for the purpose of the example)
Inside IP - 10.1.1.XX
Outside IP - 89.XX.XX.248
Regards,
Shijo.
06-30-2013 06:00 AM
Hi,
Ok, actually forgot to ask one more question but I'll give an example here.
So you probably have an Dynamic PAT rule on your firewall currently that might look something like this
global (Outside) 1 interface
nat (Inside) 1 10.1.1.0 255.255.255.0
Or something very similiar to the above.
What we need to do next is enable the following configuration
same-security-traffic permit intra-interface
You can check if it has been enabled already with the below command
show run same-security-traffic
What the first command I mention will do is enable traffic to enter and leave the same interface on the ASA. Without this command the connection would fail.
Now, next we will need a translation that might look a bit wierd. We will need to translate the "Inside" server towards the "Inside" interface to the public IP address.
static (Inside,Inside) 89.xxx.xxx.248 10.1.1.xxx netmask 255.255.255.255
This will enable the users to reach the public IP address from behind the "Inside" interface with the public IP address. You probably have a similiar "static" configuration for the server already but for "Inside" to "Outside" and that will only work for hosts that are connecting from the Internet, NOT from the "Inside" of your firewall.
Finally, we will need another NAT rule that might look wierd
global (Inside) 1 interface
What this will do is do Dynamic PAT for the users behind "Inside" when they are connecting to the public IP address for which we did the "Inside" to "Inside" NAT configuration. If we did not add this configuration the connection wouldnt go through correctly.
Essentially what will happen after this when the "Inside" host connects to the public IP address is the following
Hope this helps
Please do remember to mark the reply as the correct answer if it answered your question.
Naturally ask more if needed.
- Jouni
06-30-2013 06:30 AM
Dear Jouni....!!
You did the magic... Its working fine....
Loads of thanks.
Regards,
Shijo.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: