cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

663
Views
15
Helpful
9
Replies
Highlighted
Beginner

Allow public to server IP address

Hello

 

I have  ASA 5510 with 3 X interfaces " inside , DMZ , Outside". We have a solution one server located on DMZ  with IP address 192.168.2.10

which published to internet with IP address 193.50.15.23 and we have an internal server with IP address 10.10.60.20 . Our vendor asked us that we have to allow our internal IP 10.10.60.2 to reach public IP address 193.50.15.23  using ping , tcp port 8443 . Any idea . I need to know which configuration i have to apply ?. MY ASA work with IOS v9.X

 

thanks

 

 

 

 

2 ACCEPTED SOLUTIONS

Accepted Solutions
Highlighted

Hi,

I am assuming the 10.10.60.20 behind your inside interface. This is your DMZ server internal IP:- 192.168.2.10 mapped to 193.50.15.23.

I think you would need a NAT statement something like this:-

object network INSIDE-NET

subnet 0 0

nat (inside,dmz) source INSIDE-NET interface destination static 193.50.15.23 192.168.2.10

Ports you can control or restrict using the ACL if required .

Thanks and Regards,

Vibhor Amrodia

View solution in original post

Highlighted

Hello

+5 for Vibhor , his a great configuration. Just please add static do it as below

1-nat (inside,DMZ) source static INSIDE-NET interface destination static 193.50.15.23 192.168.2.10

 

2- Kindly check if you have configured object for your DMZ and public ip or not , because if you have existing object for these ips , you have to put the existing obj instead of IPs.

 

Thanks

please rate all useful information

 

 

View solution in original post

9 REPLIES 9
Highlighted
Beginner

Do you have a site-to-site--or L2L--tunnel established with this vendor? 

Which is the internal IP that is assigned the NAT of 193.50.15.23 (192.168.2.10 or 10.10.60.20)?

Highlighted

Hello

 

No L2L or IPsec existing . Our vendor is responsible for the applications which run on internal and DMZ servers . I need to allow my internal IP 10.10.60.20 to reach our public natted ip address 193.50.15.23 . I need to know which configuration should be applied .

 

Thanks

 

Highlighted

Hi,

I am assuming the 10.10.60.20 behind your inside interface. This is your DMZ server internal IP:- 192.168.2.10 mapped to 193.50.15.23.

I think you would need a NAT statement something like this:-

object network INSIDE-NET

subnet 0 0

nat (inside,dmz) source INSIDE-NET interface destination static 193.50.15.23 192.168.2.10

Ports you can control or restrict using the ACL if required .

Thanks and Regards,

Vibhor Amrodia

View solution in original post

Highlighted

Hello

+5 for Vibhor , his a great configuration. Just please add static do it as below

1-nat (inside,DMZ) source static INSIDE-NET interface destination static 193.50.15.23 192.168.2.10

 

2- Kindly check if you have configured object for your DMZ and public ip or not , because if you have existing object for these ips , you have to put the existing obj instead of IPs.

 

Thanks

please rate all useful information

 

 

View solution in original post

Highlighted

Hi,

I would like to differ on the NAT statement that you gave as this statement is incorrect:-

nat (inside,DMZ) source static INSIDE-NET interface destination static 193.50.15.23 192.168.2.10

This should be instead:-

nat (inside,DMZ) source dynamic INSIDE-NET interface destination static 193.50.15.23 192.168.2.10

Thanks and Regards,

Vibhor Amrodia

Highlighted

Hello

 

So this is should be dynamic . can you share why dynamic?.

 

thanks

 

Highlighted

Hi,

When we are talking about mapping multiple IP address i.e. Inside Net in this case to a single IP i.e. interface in this case , we can never use Static NAT statement. It always have to be dynamic.

Many to one translations always require Dynamic keyword

Thansk and Regards,

Vibhor Amrodia

Highlighted

I typed static because he mentioned one ip address . 

Highlighted

Hi Islam,

Thank you for your response. I think we were both saying the same thing.

I replied because of this. :)

object network INSIDE-NET

subnet 0 0

Thanks and Regards,

Vibhor Amrodia

Content for Community-Ad