07-27-2007 06:03 PM - last edited on 03-25-2019 05:38 PM by ciscomoderator
I just replace a clients PIX with an ASA 5510. They weren't using static nats and had all their servers set up with dual NICs. One connected to the internet and one to their inside network. Now that the ASA is in place, they are using static nats . However, one of their apps that they use on the internal network connects to an internet IP. It's hard coded and cannot be changed. So, now when they try to connect, it does not work. Is there any way to get this to work with the ASA?
TIA.
Dan
07-27-2007 06:39 PM
Sure, but where is the destination? If it's on the dmz and the request is coming from the inside you can do destination nat.
static (dmz,inside) public.ip private.ip netmask 255.255.255.255
Or if the destination is on the inside along with the source then you have to hairpin.
same-security-traffic permit intra-interface
static (inside,inside) public.ip private.ip netmask 255.255.255.255
nat (inside) 1 0 0
global (inside) 1 interface
Please rate helpful posts.
07-27-2007 06:46 PM
They want to connect to an IP on the outside of the firewall that is natted back inside.
for example:
ftp to: 1.1.1.1 which is natted to 2.2.2.2 on the inside and make this connection from the internal network
So, for a destination nat, they would do:
static (outside,inside) 1.1.1.1 2.2.2.2 netmask 255.255.255.255 ?
07-30-2007 04:35 AM
So if you have something like
static (inside,outside) x.x.x.x y.y.y.y netmask 255.255.255.255
and the connection from inside is to x.x.x.x then you would use the hairpinning method I referenced above.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: