10-31-2018 04:25 PM - edited 02-21-2020 08:25 AM
We have an ASA 5510 with dual ISP. The default route is configured to ISP1, and the inside clients are goes also to ISP1. We have a DMZ interface, there are public servers in it with private IP, the interesting ports are forwarded to them. The public services - hosted by the servers in the DMZ - are reachable from the ISP2's public IPs.
The problem is, that the clients from the inside network can't reach the services in the DMZ with public IP. Logically the traffic should goes like Client -> ASA inside -> ASA outside1 -> ISP1 -> ISP2 -> ASA outside interface 2 -> DMZ. Ok, but the ASA has connected interface to the ISP2's IP range, so maybe the traffic shouldn't go through the ISPs, the ASA should route it from the client to the DMZ server. Should we have NAT rule from the client network directly to the DMZ? The log says that failed to locate egress interface.
Do you have any ideas?
Solved! Go to Solution.
10-31-2018 07:09 PM
are you doing a no-NAT from the internal interface TO the DMZ interface?
in otherwords, add a NAT statement to NOT nat from int. to external.
10-31-2018 07:09 PM
are you doing a no-NAT from the internal interface TO the DMZ interface?
in otherwords, add a NAT statement to NOT nat from int. to external.
11-09-2018 06:32 AM
You're right! It was a basic problem, the NAT statement was the problem. Thank you!
11-03-2018 01:05 PM
You could try nat reflection on the ASA to access DMZ servers public IPs directly from the LAN.
Regards,
Azam
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide