09-01-2014 01:24 AM - edited 03-11-2019 09:41 PM
Hi all,
I'm trying to convert my ASA 8.2 to 8.3 new commands.
I have some NAT rules, which make the possibility for "inside" people to reach a DMZ server with it public URL (www.mydomain.com)
Ex : Inside --> http://www.mydomain.com --> DMZ Web Server
Outside --> http://www.mydomain.com --> DMZ Web Server
My config (8.2 version)
static (dmz,outside) OUT-WEB DMZ-WEB netmask 255.255.255.255
static (dmz,inside) OUT-WEB DMZ-WEB netmask 255.255.255.255
How do it in 8.3 version
Solved! Go to Solution.
09-01-2014 07:16 AM
For object NAT you need a different object for every NAT-rule. But all these objects have the same host configured. For reaching your DMZ-server with the public name, you don't need any NAT from inside to DMZ, just DNS-doctoring:
object network DMZ-WEB
host a.b.c.d
nat (dmz,outside) static OUT-WEB dns
09-01-2014 02:45 AM
Hi again,
OK, I think I found it
1. solution (normal NAT)
nat (dmz,inside) source static DMZ-WEB OUT-WEB
nat (dmz,outside) source static DMZ-WEB OUT-WEB
2. solution (object NAT)
object network DMZ-WEB
host w.x.y.z
object network OUT-WEB
host a.b.c.d
nat (dmz,outside) static OUT-WEB
With the solution 2., it's impossible to configure 2 nat rules, like I've done in solution 1. I choose the solution 1, much more transparent for me.
Could somebody confirm I'm right.
Thanks
09-01-2014 07:16 AM
For object NAT you need a different object for every NAT-rule. But all these objects have the same host configured. For reaching your DMZ-server with the public name, you don't need any NAT from inside to DMZ, just DNS-doctoring:
object network DMZ-WEB
host a.b.c.d
nat (dmz,outside) static OUT-WEB dns
09-01-2014 08:08 AM
Hi Karsten,
OK, another good idea. I will try without the object NAT rule
nat (dmz,outside) source static DNS-WEB OUT-WEB dns
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide