ASA: Question about static public IP accessing

jopontes · ‎09-12-2007

Hi there,

Is it possible to access a server located at the DMZ using its public IP address (static nat), from a server in the same DMZ or another station in another network interface (inside or management)? Will that be possible in the ASA?

My customer states that it can be done on Check Point firewalls.

Any feedback is highly appreciated.

srue · ‎09-12-2007

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/cfgnat.html#wp1042753

acomiskey · ‎09-12-2007

Yes. But it will be one or the other, not both. It is called destination NAT.

DMZ server public ip = 1.1.1.1

DMZ server ip = 192.168.1.1

To access from inside...

static (dmz,inside) 1.1.1.1 192.168.1.1 netmask 255.255.255.255

To access it from another DMZ machine you must use hairpinning. DNS doctoring will only work if you're trying to resolve it, not using an ip.

Hairpinning Example

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968d1.shtml#solution2

jopontes · ‎09-12-2007

D-NAT is not a option for the customer, since he needs to actually go out and go back in the same interface.

I had used hairpinning for in a VPN client and lan-2-lan environment, but I did'nt think it as a solution for this scenario.

I'll try that and I'll post here again with my findings. Thanks a lot!

acomiskey · ‎09-12-2007

"D-NAT is not a option for the customer, since he needs to actually go out and go back in the same interface"

-I posted an example for inside to dmz using d-nat. The other example (hairpin) was for dmz to dmz.

jopontes · ‎09-12-2007

Sure, I got it! Thanks again.