Nothing with VPN.  It is one of the remote branches in our WAN using a test wireless connection.  There is routing for it so everything else is working fine as it comes into our corporate office router and the corporate office router has a default route to the firewall so internet works fine from this remote branch when on the wireless.  I'm looking to put some mobile devices on it which will need access to the mail server inside the DMZ. 

Ok,

But I imagine that the network is then located behind the "inside" interface of the ASA or? Just need to confirm as I am seeing only a very limited amount of configurations.

It would be good to see the current existing NAT configurations on the ASA.

- Jouni

That is correct.  The 10.60.48.0/24 branch network has no internet connection and must route back to corporate to use the internet.  Sorry I am using fake IP's cause I am not allowed to post config but I believe knowing if this example will work will help me.

Hi,

Ok so server behind "DMZ" and remote site behind "inside".

It would seem to me that you would have to NAT the "DMZ" server to its public IP address towards the "inside" interface of the ASA. And if we wanted to apply this to only to certain traffic then it sounds to me that you might want to configure Static Policy NAT.

access-list MAIL-POLICY-NAT permit ip host 10.60.48.0 255.255.255.0

static (DMZ,inside) 1.1.1.1 access-list MAIL-POLICY-NAT

And then open the required services on the "access-list" of the "inside" interface.

To my understanding this should enable the DMZ server to be visible to only the remote network with the public IP address with the IP address 1.1.1.1 instead of its local IP address. Any other network behind "inside" should still be able to use the local IP address of the DMZ server.

- Jouni

Ok that makes sense. I actually already have a static NAT for the mail server in the DMZ to NAT to a public address. That is how normal mobile users get mail from anywhere on the internet.  Below is the rule for that:

static (DMZ,Outside) 1.1.1.1 172.16.125.10 netmask 255.255.255.255

The mail server has a DMZ ip address of 172.16.125.10

I guess that may only work for when connecting from the outside though. 

So if I put the following below in addition:

access-list MAIL-POLICY-NAT permit ip host 172.16.125.10 10.60.48.0 255.255.255.0

static (DMZ,inside) 1.1.1.1 access-list MAIL-POLICY-NAT

access-list inside permit tcp 10.60.48.0 255.255.255.0 host 1.1.1.1 https

Does that look correct?  My only other thing is since this site uses a public DNS server they go to the 1.1.1.1 address and not know about the 172.16.125.10 address in the beginning of the connection.  Will that still be ok?

Thanks for your help.

Hi,

The above NAT configurations is a Static Policy NAT which means its doing Static NAT for the DMZ server but as its a Policy NAT it means that it will only be applied when the traffic matches certain criteria. That criteria is defined in the ACL.

In this case it essentially means that when there is traffic from the DMZ server to the remote site then the DMZ server should NATed to the IP address 1.1.1.1 and this naturally works in your case where the remote site is connecting to the IP address of 1.1.1.1 it will then get forwared to this ASA and the destination IP address 1.1.1.1 will get translated to the real IP address of the DMZ server and forwarded to it.

So the remote site should be able to connect to the DMZ server with the public IP address.

Notice that the above configuration applies to any TCP/UDP connection towards this server. All connections from 10.60.48.0/24 network towards the DMZ server need to use the public IP address.

If this is not ok then I imagine that there should be a way to narrow it down even more to apply only to HTTPS traffic.

After you have configured the NAT configuration you can test it with the "packet-tracer" command to confirm if it works

packet-tracer input inside tcp 10.60.48.100 12345 1.1.1.1 443

Naturally you replace the 1.1.1.1 with the real public IP address. Source IP address and port are just random values chosen by me.

Hope this helps

Please do remember to mark the reply as the correct answer if it answered your question.

Ask more if needed.

- Jouni