01-29-2016 09:12 AM - edited 03-12-2019 12:13 AM
I cannot access our servers external IP from our internal networks. I can access the servers DMZ address but not the external. Any ideas?
01-29-2016 10:39 AM
That's how it works on the ASA. Do you have a public IP per server that you translate to your internal host? Then DNS-doctoring is the easiest solution:
object network SERVER
host 10.10.10.10
nat (DMZ,outside) static 192.0.2.10 dns
01-29-2016 10:57 AM
I enabled that but still can't ping the external IP.
01-29-2016 04:40 PM
wasn't clear enough on that ...
The purpose of DNS-doctoring is not to reach the public IP. But now you can reach the internal host with the public FQDN that is assigned to the public IP.
01-30-2016 05:21 PM
Actually, just to clarify what Karsten has said. the DNS request needs to pass through the ASA for DNS doctoring / re-write to work. If your PC is on the same subnet as the DNS server, DNS doctoring will not work. In this case you will need to do twice NAT to make this work or add a new DNS A record for the internal IP of the server. Assuming that the server is located on the same subnet as the PC you are trying to reach it from you could configure NAT as follows (lets assume that the interface is called "inside"):
object network SERVER_PRIVATE
host 10.1.1.10
object network LAN
subnet 10.1.1.0 255.255.255.0
object network SERVER_PUBLIC
host 195.16.16.16
nat (inside,inside) source static LAN LAN destination static SERVER_PRIVATE SERVER_PUBLIC
same-security-traffic permit intra-interface
--
Please remember to select a correct answer and rate helpful posts
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide