Solved: Re: ASA 5520 9.0(4) NAT FROM INSIDE TO DMZ using Public IP

bellaichef · ‎12-07-2022

Hi,

I have an ASA 5520 on FW 9.0(4).

I have on it 3 subnets :

inside (10.1.1.0/24)
outside (1.1.1.2/28, webserver Public ip 1.1.1.3)
DMZ (20.1.1.0, webserver DMZ ip 20.1.1.10)

Clients on the inside are able to access internet without any issue

Webserver located on the DMZ is accessed without any issue if request come from the outside using its public ip.

But we can't access Webserver from the inside using its public IP. (I don't want to do nat 0)

On FW previous 8.4 this command would have solved my problem :

static (DMZ,inside) 1.1.1.3 20.1.1.10

I did not found how to reproduce the same behaviour on post 8.4 FW

Many thanks by advance for any help.

Franck

manabans · ‎12-07-2022

The requirement can be achieved using the following configuration.
WebServer Private IP: 20.1.1.10 | WebServer Public IP: 1.1.1.3

!
object network obj-1.1.1.3
host 1.1.1.3
object network obj-20.1.1.10
host 20.1.1.10
!
nat (inside,DMZ) source dynamic any interface destination static obj-1.1.1.3 obj-20.1.1.10
!

View solution in original post

manabans · ‎12-07-2022

The requirement can be achieved using the following configuration.
WebServer Private IP: 20.1.1.10 | WebServer Public IP: 1.1.1.3

!
object network obj-1.1.1.3
host 1.1.1.3
object network obj-20.1.1.10
host 20.1.1.10
!
nat (inside,DMZ) source dynamic any interface destination static obj-1.1.1.3 obj-20.1.1.10
!

bellaichef · ‎12-08-2022

Thanks it worked as a charm. Why did they make such a simple thing, something barely understandable.?!