01-24-2012 10:04 PM - edited 03-11-2019 03:19 PM
We have ASA 5550, I have a portal server in the dmz which is natted statically to a public ip address for port 443. The application works fine from outside world. The server is also nated with a dynamic nat from inside to dmz and when I hit on the dmz ip from my inside it works fine.
The requirement for us is that the users sitting behind the inside (i.e. LAN) should access the server on the public ip address and not thru the dmz. Please let me know what shoud I do to resolve this issue as it is a bit urgent.
01-24-2012 11:38 PM
Hi,
I assume your using ASA software version below 8.3?
From 8.3 onwards you can configure a static NAT to use the same public NAT ip towards any interface. This would mean that even though the DMZ server has a private IP address you could NAT that ip address towards "outside" and "inside" with he same IP address (and any other interfaces you might have)
In the new software 8.3 onwards the static NAT i mentioned above would look something like this
object network DMZ-SERVER
host 10.10.10.10
nat (dmz,outside) static 1.2.3.4 dns
or if you want to NAT the DMZ server to the same public IP address towards every ASA interface. Though in this case you have to take into consideration how this affects all of your connection from "inside" to the server in "dmz" segment.
object network DMZ-SERVER
host 10.10.10.10
nat (dmz,any) static 1.2.3.4 dns
With ASA software 8.2 and below you can't connect to the DMZ server using the public ip address that you have NATed it to towards "outside". Though one way would be to use DNS doctoring (not sure if the term is right) in the NAT and connect to the server using name. This would ofcourse require that the servers public IP address had a DNS name on a public server. This way atleast both "inside" and "outside" users would be connecting to the same "address" though in this case a name not an ip address.
In the 8.2 and earlier old static NAT format it would look something like this
static (dmz,outside) 1.2.3.4 10.10.10.10 netmask 255.255.255.255 dns
To my understanding you can't get the situation you mentioned to work if you're still using ASA software below 8.3. One option ofcourse would be to get a public IP address range directly to the "dmz" so you wouldn't have to do NAT at all for the DMZ servers.
- Jouni
EDIT:
Is there any particular reason you are doing dynamic NAT for the users on "inside" connecting to "dmz"? Just wondering as I personally very rarely NAT traffic between interfaces that are local to my network..
01-25-2012 12:43 AM
I am running version 7.2(4) on my ASA, so I believe the first solution wont work in my case. I had tried using the following as well
static (dmz,outside) 1.2.3.4 10.10.10.10 netmask 255.255.255.255 dns
but it did not work as well because we have an internal dns server. But with the above command it works when the public dns is used.
There is no specific reason for natin my dmz with inside but only for security reason.
01-25-2012 09:18 AM
Hello Lmroz,
Please try this and let me know!
static (dmz,inside) 1.2.3.4 10.10.10.10
Regards,
Julio
Rate helpful posts!
01-29-2012 02:28 AM
Issue is resolved, following command helped, apartment from the regular static nat
global (inside) 1 interface
static (dmz,inside) outside dmz netmask 255.255.255.255
01-29-2012 01:31 PM
Hello Imroz,
Great to hear I could help!
Please mark the question as answered so future users can learn from this discussion.
Regards,
Julio
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide