Solved: CISCO ASA 5525-X: Unable to reach public IPs from inside

Lucio87 · ‎01-05-2021

Hi,

I have an inside network and a DMZ, I have some services on a server that are published internally and externally with the same address: example.test.com. For external connections I have set up a reverse proxy server in DMZ.

example.test.com -> 172.16.1.1 (from internal)

example.test.com -> 220.1.1.1 (from external)

192.168.1.1 (reverse proxy)

object network obj-192.168.1.1

nat static obj-220.1.1.1

Everything works correctly from both internal and external network. The problem is my company has to use a lot of customer VPNs and if a user is connected on one of these VPNs, the DNS that is used to resolve example.test.com is the customer’s DNS, so it will try to connect on 220.1.1.1.

To solve the problem I tried with a nat:

nat (inside, dmz) source static obj-172.16.1.0 obj-172.16.1.0 destination static obj-220.1.1.1 obj-192.168.1.1

It works quite well but now I can no longer contact the server 192.168.1.1 from the internal network, but I always have to contact it from a public address 220.1.1.1.

How can I make server 192.168.1.1 reachable from the internal network without losing connectivity from 220.1.1.1.

Kind regards,

Luciano

Lucio87 · ‎02-04-2021

I solved it by adding a second network card to the reverse proxy with IP 192.168.1.2, I made sure that the external address points to the new IP, then:
object network obj-192.168.1.2
nat (dmz,outside) static obj-220.1.1.1 dns

At this point I have created this nat:
nat (inside, dmz) static source obj-172.16.1.0 obj-172.16.1.0 static target obj-220.1.1.1 obj-192.168.1.2

Now the external DNS points to the new IP, while the internal DNS still points to the old one.

Kind regards,

Luciano

View solution in original post

balaji.bandi · ‎01-05-2021

if they are internal IP address, they have able to reach 192.168.1.1 - they do not required NAT right, they send as orginal or Orginal ?

BB

=====Preenayamo Vasudevam=====

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Lucio87 · ‎01-05-2021

Hi Balaji,

If I remove the NAT rule written in the first post, I can successfully reach 192.168.1.1 (but I no longer reach the IP 220.1.1.1 from the internal network).

Kind regards,

Luciano

balaji.bandi · ‎01-05-2021

Technically you do not required to reach Public IP address, this is internal right ?

BB

=====Preenayamo Vasudevam=====

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Lucio87 · ‎01-05-2021

I need to reach the public IP address 220.1.1.1 because when the users of my company are connected (from the internal network) on a VPN of a customer, the "example.test.com" service is resolved by the customer's DNS (then the public IP address 220.1.1.1 -> Nat -> DMZ address 192.168.1.1).

instead I need to directly reach 192.168.1.1 from the internal network, because there are many services that point directly to the IP 192.168.1.1 and it would be quite problematic to modify them all.

I would like to find a way to keep public IP 220.1.1.1 and IP 192.168.1.1 (DMZ) reachable, from internal network 172.16.1.0/24, at the same time.

Kind regards,

Luciano

Lucio87 · ‎02-04-2021

I solved it by adding a second network card to the reverse proxy with IP 192.168.1.2, I made sure that the external address points to the new IP, then:
object network obj-192.168.1.2
nat (dmz,outside) static obj-220.1.1.1 dns

At this point I have created this nat:
nat (inside, dmz) static source obj-172.16.1.0 obj-172.16.1.0 static target obj-220.1.1.1 obj-192.168.1.2

Now the external DNS points to the new IP, while the internal DNS still points to the old one.

Kind regards,

Luciano