ASA Allow access to public IPs

jjursch · ‎02-01-2011

I have an ASA 5505 with four vlans - outside, dmz, inside and guest. In the dmz there are a few web and mail servers and I want to allow users on the inside network to access the dmz servers via their public IP not private IP. By doing this just makes management of dns and clients easier... Is this possible? On the PIX I think I remeber people say it could not been done? Appreciate any ideas - thanks

-james

shzaman · ‎02-01-2011

Hi,

For accessing DMZ servers using public IPs instead of their private IPs, we will have to configure destination NAT for server. For example 11.11.11.11 is the public IP for DMZ server 10.10.10.10 then following static NAT will be needed to access 10.10.10.10 from inside using IP:11.11.11.11

static (dmz,inside) 11.11.11.11 10.10.10.10 netmask 255.255.255.255

So if a user on inside network will try to hit IP 11.11.11.11 (destination) then it will get translated to 10.10.10.10 on dmz. Now for source NAT we can use static or dynamic.

Dynamic:

nat (inside) 1 0 0 //'0 0' means all IPs on inside, you may use inside pool

global (dmz) 1 interface

Or

Static Identity:

static (inside, dmz) netmask

Example: If '192.168.1.0/24' is inside pool then it will be

static (inside, dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

Using static identity will help in logging/monitoring because the real IP of inside user will hit the server but if you don't want this then you may use dynamic for source NAT (in this case DMZ interface IP will be source seen on DMZ server).

So in short we will have to do destination NAT for server and source NAT (dynamic or static) for user on inside. And if there are ACLs configured on inside and dmz then the ACL should be allowing the required traffic.

I hope this will help.

-Shahid