cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2337
Views
5
Helpful
3
Replies

ASA from inside to published dmz host through external address

Anatoly Fedchik
Level 1
Level 1

Hello,

i need some help pls.

I config asa to access web site(through public ip) that is published to dmz subnet from inside.

Example:

inside user host -  10.205.10.100

ASA interfaces

inside - 10.205.10.1

dmz host - 192.168.200.20 

outside published host address - 1.1.1.20

outside pat interface - 1.1.1.1

From inside host  10.205.10.100  i open 1.1.1.20  and connection timout.

Dec 20 2012 20:31:59: %ASA-6-305011: Built dynamic TCP translation from inside:10.205.10.100/14468 to outside:1.1.1.1/48234

Dec 20 2012 20:31:59: %ASA-6-302013: Built outbound TCP connection 92 for outside:1.1.1.20/23 (1.1.1.20/80) to dmz:192.168.200.20/14468 (1.1.1.1/48234)

Is it possible? or i need perfrom this through DNS to access private address of the published host.

1 Accepted Solution

Accepted Solutions

nat (dmz,any) source static obj-192.168.200.20 obj-1.1.1.20

View solution in original post

3 Replies 3

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

You have an separate public IP address for the server?

Is that Web server reached by some name at the moment from the Internet?

Are you using a DNS server on the Internet for your LAN users?

If all of the above are true, you should be able to configure the NAT on the ASA so that you can reach the Web server from your LAN the same way you would reach it from the Internet.

The logs you posted dont seem to related to the actual Web server connections or if they are there is some pretty wierd NAT configurations going on.

Also if you have only made the Web servers NAT between DMZ and OUTSIDE, it will not apply to connections coming from the LAN. In other words, in that case you cant use the public IP address to connect  to the Web server from LAN.

Can you answer the above questions and perhaps provide some current configurations from the ASA to go through the situation.

- Jouni

nat (dmz,any) source static obj-192.168.200.20 obj-1.1.1.20

Thank you, it worked. I first tried accomplish this by using only inside interface, that is, user and host on the same subnet, but user refer host by public ip but without success. When host is on the dmz subnet it worked.

Review Cisco Networking for a $25 gift card