Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1408
Views
0
Helpful
3
Replies

ASA 5520 problems with alias, static and nat

networkingib
Level 1
Level 1

‎12-18-2006 09:03 AM - edited ‎03-11-2019 02:10 AM

Hi all,

I have three networks, inside (security 100), dmz (security 50) and outside (security 0).

And I have a static nat to permit access from outside to a web server in dmz

static (dmz,outside) Public_IP DMZ_WEB_SERVER_IP netmask 255.255.255.255

I have configured de access-list to permit all and:

I can do ping from inside to the web server?s dmz_ip.

I can do from any external IP to the web server?s public_ip

But I can?t do ping from inside to the web server?s public_ip

So, I have try with alias:

alias (inside) Public_IP DMZ_WEB_SERVER_IP 255.255.255.255

And then I can do ping from inside to the web server?s public_ip

I can do from any external IP to the web server?s public_ip

But I can?t do ping from inside to the web server?s dmz_ip

I have try whit static too:

static (dmz,inside) Public_IP DMZ_WEB_SERVER_IP netmask 255.255.255.255

But the result is the same than with alias. Any idea?

Regards,

Fernando.

Labels:
0 Helpful
3 Replies 3

a.kiprawih
Level 7
Level 7

‎12-19-2006 03:10 AM

Your config looks ok. BTW, are you configuring this with or without DNS around, i.e with external DNS?

IF you already tried (but unsuccessful) with the following commands (in pair):

static (dmz,outside) Public_IP DMZ_WEB_SERVER_IP netmask 255.255.255.255

alias(inside) Public_IP DMZ_WEB_SERVER_IP 255.255.255.255

Then, for testing purposes only, try to map inside & DMZ using static:

static (inside,dmz) inside_subnet inside_subnett netmask inside_netmask

i.e:

static (inside,dmz) 10.1.1.0 10.1.1.0 netmask 255.255.255.0

*where 10.1.1.0 is your inside segment (/24)

Try to ping/access DMZ_WEB_SERVER_IP with its actual IP from inside. Make sure if you have ACL on the Inside interface, allow www access to the DMZ web server.

Example - look under "Translate a DMZ Address with Destination NAT:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094aee.shtml

0 Helpful

networkingib
Level 1
Level 1
In response to a.kiprawih

‎12-20-2006 04:36 AM

The DNS is an external DNS in internet.

#Then, for testing purposes only, try to map inside & DMZ using static:

#static (inside,dmz) inside_subnet inside_subnett netmask inside_netmask

I did it before open this post and with it done inside network is available to comunicate with dmz network but then I can't connect from inside network to the Public_IP

I would like to be able to connect to the DMZ_WEB_SERVER trough the internal IP and the DNS name, for example www.realwebserver.com.

I have been looking for a solution in a lot of web sites but I don't have find nothing that confirm if it is possible or not.

Do you know it?

Regards and thanks for your post.

0 Helpful

a.kiprawih
Level 7
Level 7
In response to networkingib

‎12-22-2006 07:02 PM

Not that I know, except that the above Cisco link (look under Translate a DMZ Address with Destination NAT) provide config guide for Inside hosts accessing DMZ's webserver via it's internet name (combination of alias & static).

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card