Cannot access external IP from inside network

Matt Roberts · ‎01-29-2016

I cannot access our servers external IP from our internal networks. I can access the servers DMZ address but not the external. Any ideas?

Karsten Iwen · ‎01-29-2016

That's how it works on the ASA. Do you have a public IP per server that you translate to your internal host? Then DNS-doctoring is the easiest solution:

object network SERVER
 host 10.10.10.10
 nat (DMZ,outside) static 192.0.2.10 dns

Matt Roberts · ‎01-29-2016

I enabled that but still can't ping the external IP.

Karsten Iwen · ‎01-29-2016

wasn't clear enough on that ...

The purpose of DNS-doctoring is not to reach the public IP. But now you can reach the internal host with the public FQDN that is assigned to the public IP.

Marius Gunnerud · ‎01-30-2016

Actually, just to clarify what Karsten has said. the DNS request needs to pass through the ASA for DNS doctoring / re-write to work. If your PC is on the same subnet as the DNS server, DNS doctoring will not work. In this case you will need to do twice NAT to make this work or add a new DNS A record for the internal IP of the server. Assuming that the server is located on the same subnet as the PC you are trying to reach it from you could configure NAT as follows (lets assume that the interface is called "inside"):

object network SERVER_PRIVATE

host 10.1.1.10

object network LAN

subnet 10.1.1.0 255.255.255.0

object network SERVER_PUBLIC

host 195.16.16.16

nat (inside,inside) source static LAN LAN destination static SERVER_PRIVATE SERVER_PUBLIC

same-security-traffic permit intra-interface

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts