cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

837
Views
0
Helpful
1
Replies
Highlighted
Beginner

ASA virtual IP concept

Coming from a netscreen/junos background...

 

For allowing access to the inside from a DMZ IP I'd usually configure a VIP using an IP in the DMZ network that would map/nat to an IP on the inside interface and apply the appropriate acl/policies to that mapping. This would keep, somewhat, our internal IP schema from DMZ assets...less info is better, right?

 

I can't for the life of me figure out how to do this on the ASA. All the examples I find just do a typical NAT to where the DMZ server communicates directly with your internal IP. 

 

It looks like to create any virtual IP you have to create a subinterface and then configure the NAT and ACLs to that. Is that how to do this on an ASA? It just didn't seem right to me.

 

ASA 5516X running 9.10

 

Thanks.

1 REPLY 1
Highlighted
Hall of Fame Guru

Try something like this 1-1 static NAT rule:

 

nat (inside,dmz) source static <original inside source IP> <original source ip> destination static <NAT address using an unused DMZ address> <NAT address using an unused DMZ address>

...and then allow access to the original source IP in an access-list that's applied inbound on the DMZ interface.

Content for Community-Ad