Solved: Nat rule to access DMZ server from inside with public URL

olipaudex · ‎09-01-2014

Hi all,

I'm trying to convert my ASA 8.2 to 8.3 new commands.

I have some NAT rules, which make the possibility for "inside" people to reach a DMZ server with it public URL (www.mydomain.com)

Ex : Inside --> http://www.mydomain.com --> DMZ Web Server

Outside --> http://www.mydomain.com --> DMZ Web Server

My config (8.2 version)

static (dmz,outside) OUT-WEB DMZ-WEB netmask 255.255.255.255
static (dmz,inside) OUT-WEB DMZ-WEB netmask 255.255.255.255

How do it in 8.3 version

Karsten Iwen · ‎09-01-2014

For object NAT you need a different object for every NAT-rule. But all these objects have the same host configured. For reaching your DMZ-server with the public name, you don't need any NAT from inside to DMZ, just DNS-doctoring:

object network DMZ-WEB host a.b.c.d nat (dmz,outside) static OUT-WEB dns

View solution in original post

olipaudex · ‎09-01-2014

Hi again,

OK, I think I found it

1. solution (normal NAT)

nat (dmz,inside) source static DMZ-WEB OUT-WEB

nat (dmz,outside) source static DMZ-WEB OUT-WEB

2. solution (object NAT)

object network DMZ-WEB
host w.x.y.z

object network OUT-WEB
host a.b.c.d

nat (dmz,outside) static OUT-WEB

With the solution 2., it's impossible to configure 2 nat rules, like I've done in solution 1. I choose the solution 1, much more transparent for me.

Could somebody confirm I'm right.

Thanks

Karsten Iwen · ‎09-01-2014

For object NAT you need a different object for every NAT-rule. But all these objects have the same host configured. For reaching your DMZ-server with the public name, you don't need any NAT from inside to DMZ, just DNS-doctoring:

object network DMZ-WEB host a.b.c.d nat (dmz,outside) static OUT-WEB dns

olipaudex · ‎09-01-2014

Hi Karsten,

OK, another good idea. I will try without the object NAT rule

nat (dmz,outside) source static DNS-WEB OUT-WEB dns

Thanks