03-16-2019 07:13 PM - edited 02-21-2020 08:57 AM
I have tried everything I can think of and everything I found on the net, but nothing works.
I attached my config minus a few lines.
This is the relevant part of my config:
: Saved
:
ASA Version 8.2(5)
!
hostname ASA5510
names
name 12.33.204.205 store
name 172.16.1.17 websrv1
!
interface Ethernet0/0
nameif inside
security-level 100
ip address 10.1.1.254 255.255.255.0
!
interface Ethernet0/1
shutdown
no nameif
security-level 1
no ip address
!
interface Ethernet0/2
nameif dmz
security-level 50
ip address 172.16.1.253 255.255.255.0
!
interface Ethernet0/3
nameif outside
security-level 1
ip address 12.33.204.206 255.255.255.248
!
access-list inside_access_in extended permit ip any any
access-list outside_access_in extended permit ip any any
access-list outside_access_out extended permit ip any any
access-list dmz_access_in extended permit ip any any
access-list dmz_access_out extended permit ip any any
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any dmz
icmp permit any outside
global (dmz) 1 interface
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 1 0.0.0.0 0.0.0.0
static (dmz,outside) store websrv1 netmask 255.255.255.255 dns
access-group inside_access_in in interface inside
access-group dmz_access_in in interface dmz
access-group dmz_access_out out interface dmz
access-group outside_access_in in interface outside
access-group outside_access_out out interface outside
route outside 0.0.0.0 0.0.0.0 12.33.204.201 1
route inside 10.1.0.0 255.255.224.0 10.1.1.254 1
Solved! Go to Solution.
03-16-2019 10:42 PM
Hi,
Here is the guide:
https://community.cisco.com/t5/firewalls/nat-hairpin/td-p/1407782
Regards,
Deepak Kumar
03-16-2019 08:58 PM
Your access lists are permitting all IP traffic so they are not really restricting anything (except non-IP like icmp etc.).
Your NAT rules will make any server in the DMZ appear to be the interface address. Is that your intention?
03-28-2019 01:39 PM
Sorry for the long absence, I was on vacation. Originally that was the intention, but now everything has changed.
03-16-2019 10:42 PM
Hi,
Here is the guide:
https://community.cisco.com/t5/firewalls/nat-hairpin/td-p/1407782
Regards,
Deepak Kumar
03-28-2019 01:41 PM
Sorry for the long absence, I was on vacation. I tried hair-pinning and could not make it work.
The requirements have changed anyway so I no longer require outside access. They can connect to the DMZ from the inside.
Thanks for your and everyone's help!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide