Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1406
Views
0
Helpful
4
Replies

Configure ASA-5508, can't connect internal web server with real ip/dns

Go to solution
badrakh.siticom
Level 1
Level 1

‎01-09-2022 11:20 PM

interface outside: Static PAT, Static NAT

nat (any,outside) source static NAT-Private NAT-Public

object network PAT-Private
nat (inside,outside) static interface

interface inside: with Dynamic PAT

object network INSIDE-NET
nat (inside,outside) dynamic interface

ACL 

object-group service DM_INLINE_TCP_2 tcp
port-object eq www
port-object eq https
port-object eq 8045

access-list outside_access_in_1 extended permit tcp any object NAT-Private object-group

DM_INLINE_TCP_2object-group service Services
description Services
service-object tcp destination eq www
service-object tcp destination eq https

access-list outside_access_in_1 extended permit object-group Services any object PAT-Private

Service_Policy_Rule

class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!

 

How do I connect my internal webserver from inside interface by public ips

hairpin NAT is not worked successful for domain

Preview file
68 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
paul driver
VIP
VIP
In response to badrakh.siticom

‎01-13-2022 01:04 AM - edited ‎01-13-2022 03:42 AM

Hello
I assume then you are trying to access this web server via ip address not dns correct?
From your topology i cannot distinguish what is internal and what isnt, - the following is an example to access to a webserver from internal hosts using the webserver public address, specifying the nat entries to be most preferred in the nat table and serviced first.

Example:
webserver public - 1.1.1.10
webserver - 10.1.100.10

inside 10.1.100.0/24
lan1 - 10.1.101.0 /24
lan1 - 10.1.102.0 /24

object network webhostpub
host 1.1.1.10

object network webhost
host 10.1.100.10
nat (inside,outside) static webhostpub service tcp www www

nat (inside,inside) 1 source dynamic any interface destination static webhostpub webhost
nat (vl101,inside) 1 source dynamic any interface destination static webhostpub webhost
nat (vl102,inside) 1 source dynamic any interface destination static webhostpub webhost

access-list 105 extended permit tcp any host 10.1.100.10 eq www
access-group 105 in interface outside


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

0 Helpful
4 Replies 4

Go to solution
paul driver
VIP
VIP

‎01-10-2022 01:03 AM - edited ‎01-10-2022 01:14 AM

Hello

try the following - 

object network web
host < lan web server>
nat(inside,outside) static <public web server> dns

or 
nat(inside,outside) source static web interface dns

policy-map global_policy
class inspection_default
inspect dns


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

Go to solution
badrakh.siticom
Level 1
Level 1

‎01-12-2022 08:28 PM

it's not worked for me I've tried hairpin NAT mentioned https://community.cisco.com/t5/network-security/hairpin-nat-asa5506-x-version-9-8/td-p/3756235 

0 Helpful

Go to solution
paul driver
VIP
VIP
In response to badrakh.siticom

‎01-13-2022 01:04 AM - edited ‎01-13-2022 03:42 AM

Hello
I assume then you are trying to access this web server via ip address not dns correct?
From your topology i cannot distinguish what is internal and what isnt, - the following is an example to access to a webserver from internal hosts using the webserver public address, specifying the nat entries to be most preferred in the nat table and serviced first.

Example:
webserver public - 1.1.1.10
webserver - 10.1.100.10

inside 10.1.100.0/24
lan1 - 10.1.101.0 /24
lan1 - 10.1.102.0 /24

object network webhostpub
host 1.1.1.10

object network webhost
host 10.1.100.10
nat (inside,outside) static webhostpub service tcp www www

nat (inside,inside) 1 source dynamic any interface destination static webhostpub webhost
nat (vl101,inside) 1 source dynamic any interface destination static webhostpub webhost
nat (vl102,inside) 1 source dynamic any interface destination static webhostpub webhost

access-list 105 extended permit tcp any host 10.1.100.10 eq www
access-group 105 in interface outside


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card