Cannot access external IP from inside network
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-29-2016 09:12 AM - edited 03-12-2019 12:13 AM
I cannot access our servers external IP from our internal networks. I can access the servers DMZ address but not the external. Any ideas?
- Labels:
-
NGFW Firewalls
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-29-2016 10:39 AM
That's how it works on the ASA. Do you have a public IP per server that you translate to your internal host? Then DNS-doctoring is the easiest solution:
object network SERVER
host 10.10.10.10
nat (DMZ,outside) static 192.0.2.10 dns
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-29-2016 10:57 AM
I enabled that but still can't ping the external IP.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-29-2016 04:40 PM
wasn't clear enough on that ...
The purpose of DNS-doctoring is not to reach the public IP. But now you can reach the internal host with the public FQDN that is assigned to the public IP.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-30-2016 05:21 PM
Actually, just to clarify what Karsten has said. the DNS request needs to pass through the ASA for DNS doctoring / re-write to work. If your PC is on the same subnet as the DNS server, DNS doctoring will not work. In this case you will need to do twice NAT to make this work or add a new DNS A record for the internal IP of the server. Assuming that the server is located on the same subnet as the PC you are trying to reach it from you could configure NAT as follows (lets assume that the interface is called "inside"):
object network SERVER_PRIVATE
host 10.1.1.10
object network LAN
subnet 10.1.1.0 255.255.255.0
object network SERVER_PUBLIC
host 195.16.16.16
nat (inside,inside) source static LAN LAN destination static SERVER_PRIVATE SERVER_PUBLIC
same-security-traffic permit intra-interface
--
Please remember to select a correct answer and rate helpful posts
Please remember to select a correct answer and rate helpful posts
