01-22-2019 09:04 AM - edited 02-21-2020 08:41 AM
Hi everyone, I have setup my ASA5506 as illustrated above.
GigabitEthernet1/1 and GigabitEthernet1/2 are set to get IP assigned by 2 seperate ISPs through DHCP.
I have my workstations connected through a switch to the GigabitEthernet1/4 of the ASA and also servers
connected through a switch to the GigabitEthernet1/4.
GigabitEthernet1/1 is used for PAT purpose so the workstations can get internet access and GigabitEthernet1/2 is used
to port forward traffic to the web server.
The workstations can access the web server through it's internal IP, which is 10.0.14.106, without problem. However they can not seem to access the server's external IP, which is the same as the address of GigabitEthernet1/2. I can confirm that the port forwarding on GigabitEthernet1/2 works without any issue because I can use my phone which is not connect to the ASA to access the web server through the external IP.
Any idea how to make this work ?
Thanks.
Here is part of the config :
!
interface GigabitEthernet1/1
nameif WAN-OUT
security-level 0
ip address dhcp setroute
!
interface GigabitEthernet1/2
nameif WAN-IN
security-level 0
dhcp client route distance 2
ip address dhcp setroute
!
interface GigabitEthernet1/3
nameif Server_Gateway
security-level 100
ip address 10.0.14.254 255.255.255.0
!
interface GigabitEthernet1/4
nameif WORKSTATION
security-level 100
ip address 172.30.255.254 255.255.255.0
!
access-list WAN-IN_access_in extended permit tcp any object Web-Server eq www
object network Web-Server
nat (Server_Gateway,WAN-IN) static interface service tcp www www
nat (WORKSTATION,WAN-OUT) after-auto source dynamic any interface
Solved! Go to Solution.
01-23-2019 06:31 AM
Yes that does not matter, as I stated already, firewall does not allow inside network to talk to Outside interface, that's just how it works. I have read it somewhere, might have been my CCNA Security book, I don't remember exactly. If I find it, I will post it since it will have a better explanation than me.
01-22-2019 10:57 AM
If I get this right, you are trying to access your G1/2 external IP from inside LAN that is on G1/4 then to get forwarded back inside. The simple answer is you can't do that. Firewall won't allow your internal host to talk to your outside interface. I can't even think of any reason why you want to do it. Any particular reason why you are trying what you are trying?
01-23-2019 04:25 AM
Thanks for the reply.
Actually what I'm trying to do is, access the web server which is on G1/4 , using it's external IP , which is G1/2 from inside LAN that is on G1/3 , which uses G1/1 to get internet access.
01-23-2019 06:31 AM
Yes that does not matter, as I stated already, firewall does not allow inside network to talk to Outside interface, that's just how it works. I have read it somewhere, might have been my CCNA Security book, I don't remember exactly. If I find it, I will post it since it will have a better explanation than me.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide