Hello,
One of my clients still has their ip addressing scheme assiged to public addresses. The inside/LAN segment (end-stations and servers) are assigned a public ip subnet(using this subnet as an example: 173.168.157.0/24). The DMZ segment is assigned a private ip address: 192.168.100.0/24. They have a webserver sitting on the DMZ(192.168.100.2) and NAT'd to a public ip address: 173.168.157.1/24. The issue is that users in the inside can access the web server using the real ip address: 192.168.200.2 but not the mapped ip address 175.168.157.1. I am thinking that this is a NAT Hairpinning, NAT-Reflection, or NAT-UTurn issue but I could be wrong. Has anyone run into an issue such as this one? What was the solution?
Here's some excerpt from the ASA's config file:
access-list DMZ extended permit tcp host 192.168.100.2 173.168.157.0 255.255.255.0
access-list DMZ extended permit tcp host 192.168.100.2 any4 eq https
access-list DMZ extended permit tcp host 192.168.100.2 any4 eq www
access-list DMZ extended deny ip any4 any4 log
access-list outsideIn extended permit tcp any4 host 192.168.100.2 eq https
access-list outsideIn extended permit tcp any4 host 192.168.100.2 eq www
access-list InsideOut extended permit icmp any4 any4
access-list InsideOut extended permit udp any4 any4
access-list InsideOut extended permit tcp any4 any4
access-list InsideOut extended permit ip any4 any4
access-group outsideIn in interface outside
access-group InsideOut in interface inside
access-group DMZ in interface DMZ
object network obj-173.168.157.0
nat (inside,inside) static 173.168.157.0
object network obj-192.168.100.2
nat (DMZ,outside) static 173.168.157.1
object network obj-173.168.157.0
subnet 173.168.157.0 255.255.255.0
object network obj-192.168.100.2
host 192.168.100.2
object network obj-173.168.157.1
host 173.168.157.1
Much appreciated.
