cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
515
Views
0
Helpful
5
Replies

ASA: Question about static public IP accessing

jopontes
Level 1
Level 1

Hi there,

Is it possible to access a server located at the DMZ using its public IP address (static nat), from a server in the same DMZ or another station in another network interface (inside or management)? Will that be possible in the ASA?

My customer states that it can be done on Check Point firewalls.

Any feedback is highly appreciated.

5 Replies 5

acomiskey
Level 10
Level 10

Yes. But it will be one or the other, not both. It is called destination NAT.

DMZ server public ip = 1.1.1.1

DMZ server ip = 192.168.1.1

To access from inside...

static (dmz,inside) 1.1.1.1 192.168.1.1 netmask 255.255.255.255

To access it from another DMZ machine you must use hairpinning. DNS doctoring will only work if you're trying to resolve it, not using an ip.

Hairpinning Example

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968d1.shtml#solution2

D-NAT is not a option for the customer, since he needs to actually go out and go back in the same interface.

I had used hairpinning for in a VPN client and lan-2-lan environment, but I did'nt think it as a solution for this scenario.

I'll try that and I'll post here again with my findings. Thanks a lot!

"D-NAT is not a option for the customer, since he needs to actually go out and go back in the same interface"

-I posted an example for inside to dmz using d-nat. The other example (hairpin) was for dmz to dmz.

Sure, I got it! Thanks again.

Review Cisco Networking for a $25 gift card