Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
383
Views
0
Helpful
1
Replies

NAT config to allow access to two hosts in the same DMZ (RFC 1918) when DNS resolves to a public IP???

jsanderson311
Level 1
Level 1

‎05-17-2011 12:10 AM - edited ‎03-11-2019 01:34 PM

I am using a three interface ASA config (Internet, DMZ, Inside).  The DMZ and Inside networks are both RFC 1918 space however it is against our corporate policy to allow our DMZ IP space to be internally routable, therefore we must target routable IP's which NAT to the DMZ hosts .  In my DMZ network there are two devices - a Web Server and a 802.11 Access Point.

The Web Server is hosting our corporate web site.  When the clients accessing the internet via the Access Point try to access our corporate web site they are not able to.  A DNS lookup of the A record 'www' returns the public IP address, which when targeted translates to the real RFC 1918 IP of the web server.

Is there a way to use destination NAT or another clever config so when a host targets a public IP which is being translated on a different interface right back into the same interface it originated from it would allow the traffic?  (Let me know if you need a drawing)

Labels:
0 Helpful
1 Reply 1

barry
Level 7
Level 7

‎05-17-2011 12:30 AM

Hi Jason

I assume you want the guest users on the wireless to be able to target the public IP address of the web server and have that translated to the private RFC 1918 address by the ASA - which won't happen by default. With policy NAT you should be able to configure this. A drawing may be useful, but you can definitely NAT on the ASA in this manner (in and back out of the same interface).

It's a pretty complicated configuration from a NAT perspective, but it can definitely be done. You will also need to ensure that you enable "same interface" routing. How you configure the NAT willdepend on the version of software you are running on the ASA - NAT changes radically in version 8.3. However it should be possible regardless of which version you are on.

The other option of course is to use an alternate DNS server (possibly an internal one) for the guest users which returns the RFC 1918 address for the web site rather than the public one.

HTH. Barry

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card