11-13-2014 11:27 AM - edited 03-11-2019 10:04 PM
Hello!
I am fairly new to this level of configuration and was hoping someone would grace me with their knowledge.
My current setup is that I have a webserver (10.1.10.5) in a DMZ with its SQL counterpart on the inside. Traffic is flowing correctly between the two as well as from the DMZ to the internet, however, I cannot access the website on the webserver from the public internet.
When I run canyouseeme.org on the webserver it shows that port 80 is not getting traffic. Any ideas on how to fix my config? I've been /headesk on this one.
Thanks!
Solved! Go to Solution.
11-17-2014 10:57 AM
I'd like users on the Inside interface to be able to enter the web address of the webserver application and access it without having to use the internal IP. I may have to accomplish this using an actual DNS server.
11-17-2014 12:07 PM
Can you use a dedicated public IP for the webserver? Then you can tweak the DNS-replys in a form that the ASA changes the public address in a DNS-reply to the actual IP of the server. But that doesn't work if only a port is forwarded. If you can, the translation looks like the following:
object network WEBSERVER-TCP80 nat (dmz,outside) static a.b.c.d dns
Other ways are to configure the FQDN in your internal DNS with the private IP, or use destination NAT for the public IP. But that again makes your config more complex and harder to troubleshoot.
11-17-2014 01:24 PM
Unfortunately I only have the 1 static IP address.
Would something like this work?
object network internal
range 192.168.0.1 192.168.0.254
object network external
host [IP address of your WAN interface]
object network server-internal
host [server internal IP address]
object network server-external
host [server external (NATted) IP address]
nat (internal, internal) source static internal external destination static server-external server-internal
11-17-2014 01:41 PM
That goes into the right direction (if you really want to go that way):
The destination is changed statically from server-external to server-internal. But you don't have to change the source address. These addresses can be dynamically identity-natted. And if I remember right, the interfaces are (inside,dmz) in this scenario, but I don't remember exactly:
nat (inside, dmz) source dynamic internal internal destination static server-external server-internal
11-18-2014 12:47 PM
This worked :) I had to create another rule above it to allow my SQL server to still communicate with the webserver using internal IPs. I'm good with everything else being outside.
Thanks so much for all of your insight. You've been a great help!
11-18-2014 01:01 PM
fine that it works. And now don't forget to go to
for even more NAT-knowledge ... ;-)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide