cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

463
Views
15
Helpful
9
Replies
Highlighted
Beginner

Allow public to server IP address

Hello

 

I have  ASA 5510 with 3 X interfaces " inside , DMZ , Outside". We have a solution one server located on DMZ  with IP address 192.168.2.10

which published to internet with IP address 193.50.15.23 and we have an internal server with IP address 10.10.60.20 . Our vendor asked us that we have to allow our internal IP 10.10.60.2 to reach public IP address 193.50.15.23  using ping , tcp port 8443 . Any idea . I need to know which configuration i have to apply ?. MY ASA work with IOS v9.X

 

thanks

 

 

 

 

2 ACCEPTED SOLUTIONS

Accepted Solutions
Highlighted
Cisco Employee

Hi,I am assuming the 10.10.60

Hi,

I am assuming the 10.10.60.20 behind your inside interface. This is your DMZ server internal IP:- 192.168.2.10 mapped to 193.50.15.23.

I think you would need a NAT statement something like this:-

object network INSIDE-NET

subnet 0 0

nat (inside,dmz) source INSIDE-NET interface destination static 193.50.15.23 192.168.2.10

Ports you can control or restrict using the ACL if required .

Thanks and Regards,

Vibhor Amrodia

View solution in original post

Highlighted
Advocate

Hello+5 for Vibhor , his a

Hello

+5 for Vibhor , his a great configuration. Just please add static do it as below

1-nat (inside,DMZ) source static INSIDE-NET interface destination static 193.50.15.23 192.168.2.10

 

2- Kindly check if you have configured object for your DMZ and public ip or not , because if you have existing object for these ips , you have to put the existing obj instead of IPs.

 

Thanks

please rate all useful information

 

 

View solution in original post

9 REPLIES 9
Highlighted
Beginner

Do you have a site-to-site-

Do you have a site-to-site--or L2L--tunnel established with this vendor? 

Which is the internal IP that is assigned the NAT of 193.50.15.23 (192.168.2.10 or 10.10.60.20)?

Highlighted
Beginner

Hello No L2L or IPsec

Hello

 

No L2L or IPsec existing . Our vendor is responsible for the applications which run on internal and DMZ servers . I need to allow my internal IP 10.10.60.20 to reach our public natted ip address 193.50.15.23 . I need to know which configuration should be applied .

 

Thanks

 

Highlighted
Cisco Employee

Hi,I am assuming the 10.10.60

Hi,

I am assuming the 10.10.60.20 behind your inside interface. This is your DMZ server internal IP:- 192.168.2.10 mapped to 193.50.15.23.

I think you would need a NAT statement something like this:-

object network INSIDE-NET

subnet 0 0

nat (inside,dmz) source INSIDE-NET interface destination static 193.50.15.23 192.168.2.10

Ports you can control or restrict using the ACL if required .

Thanks and Regards,

Vibhor Amrodia

View solution in original post

Highlighted
Advocate

Hello+5 for Vibhor , his a

Hello

+5 for Vibhor , his a great configuration. Just please add static do it as below

1-nat (inside,DMZ) source static INSIDE-NET interface destination static 193.50.15.23 192.168.2.10

 

2- Kindly check if you have configured object for your DMZ and public ip or not , because if you have existing object for these ips , you have to put the existing obj instead of IPs.

 

Thanks

please rate all useful information

 

 

View solution in original post

Highlighted
Cisco Employee

Hi,I would like to differ on

Hi,

I would like to differ on the NAT statement that you gave as this statement is incorrect:-

nat (inside,DMZ) source static INSIDE-NET interface destination static 193.50.15.23 192.168.2.10

This should be instead:-

nat (inside,DMZ) source dynamic INSIDE-NET interface destination static 193.50.15.23 192.168.2.10

Thanks and Regards,

Vibhor Amrodia

Highlighted
Advocate

Hello So this is should be

Hello

 

So this is should be dynamic . can you share why dynamic?.

 

thanks

 

Highlighted
Cisco Employee

Hi,When we are talking about

Hi,

When we are talking about mapping multiple IP address i.e. Inside Net in this case to a single IP i.e. interface in this case , we can never use Static NAT statement. It always have to be dynamic.

Many to one translations always require Dynamic keyword

Thansk and Regards,

Vibhor Amrodia

Highlighted
Advocate

I typed static because he

I typed static because he mentioned one ip address . 

Highlighted
Cisco Employee

Hi Islam,Thank you for your

Hi Islam,

Thank you for your response. I think we were both saying the same thing.

I replied because of this. :)

object network INSIDE-NET

subnet 0 0

Thanks and Regards,

Vibhor Amrodia