We have several interfaces setup on our ASA 5516 with different security settings in the access lists. I have 2 of these interfaces that are causing me a head ache.
For example. Interface 1 (172.16.1.x corporate network) and Interface 3 (192.168.1.x dirty test network) are not allowed to talk to each other internally, they have a explicit deny in both ways. Both interfaces have Nat for different external ip addresses. The dirty test network has various test servers that allow external access. I need people in the corporate network to be able to access these test servers via the external ip addressing, like anyone else in the world. I assume the ASA is blocking this as it knows both networks and is being to cleaver. How do I allow access between these networks but only via the external IP?
1. Issue the command: ‘same-security-traffic infra-interface’ allowing you to trombone the outside interface. Ensure that any additional NAT’s are in place to facilitate this.
2. If the sites/services in the non-corporate network have an associated public DNS record, replicate this record in your internal DNS servers by pointing to the real (192.168.1.x) IP of the site/service. Ensure that you have the specific ACL permits in place between zones, and the relevant NAT’s in place (172.16.1.x <> 192.168.1 x).
3. Use the Cisco ASA rewrite option that will inject the internal/real IP of the site/service should a matching NAT be configured. This will ensure any DNS query originating from your corporate network to upstream DNS servers are provided the internal IP of the service. This is completed should an external DNS lookup be completed. Please read the following for further information on how to achieve this;