Re: ASA help needed

cdickerson · ‎12-31-2010

Not even sure what I am trying to do is called. But here is what I got. I have a ASA 5520 running 8.3. I have sub interfaces on my inside interface. They have different security levels and I have the ASA configured to not allow same security level interfaces to communicate. One of the subinterfaces has a Exchange OWA server; it has a static NAT going to a public IP on my outside interface (this internal subinterface has a higher security level). My other subinterface has a bunch of workstations trying to access the OWA server. They have a PAT NAT configured to send the entire network to another IP address on the outside interface. What I am trying to do is have them access the OWA server via it's outside address. Doesn't seem to work. So I guess I am asking how do I allow two outside IP's communicate/route to each other? Thanks

-Craig

mirober2 · ‎12-31-2010

Hi Craig,

All you'll need is the following config, though make sure it doesn't overlap with anything you already have configured:

Assumptions:
OWA internal IP = 192.168.1.100
OWA external IP = A.B.C.D
Interface name that protects OWA = inside
"Other subinterface" name = inside2
Outside/Internet interface name = outside
object network OWA
    host 192.168.1.100
    nat (inside,any) static A.B.C.D
access-list outside_access_in permit tcp any host 192.168.1.100 eq https
access-list inside2_access_in permit tcp any host 192.168.1.100 eq https
access-group outside_access_in in interface outside
access-group inside2_access_in in interface inside2

The above config will allow hosts on inside2 and outside to access the OWA server by its public IP address, A.B.C.D. Give that a try and if you're still running into issues, please post sanitized copies of 'show run object', 'show run nat', and 'packet in inside2 tcp 12345 A.B.C.D 443'.

Hope that helps.

-Mike