10-01-2013 11:35 AM - edited 03-11-2019 07:45 PM
Hi, I have a ASA 5550 with a ios version 9. This ASA has a public ip to give access to the inside users (NAT overload) and it has an other public ip to do a static nat to connect the outside users with a server inside of the network (http).
All works great but now, I need to achieve that if I am in the inside segment, I can access to the server but with the public ip.
for example.
I am connected in the inside network, I have a 192.168.115.80 and the server has the 192.168.115.33, If I browse the server with the 192.168.115.33, I get access to the server.
But now, instead of browse with the private ip (192.168.115.33) I want to browse with the public ip that I use to permit public user to get access.
are there any feature to do this?
Thanks!!!!
Solved! Go to Solution.
10-01-2013 02:16 PM
Hi,
The problem is with the order of the NAT configurations.
You have 2 options to make this work
I would rather use the second option though you might want to use the first if you dont want to cause any problems for Internet users (even though its a small outage in the connections)
First option can be done in the following way
no nat (inside,inside) source dynamic 115 interface destination static ip_publica_servicios www
nat (inside,inside) 1 source dynamic 115 interface destination static ip_publica_servicios www
The second option which I prefer would be done in this way
no nat (inside,outside) source dynamic Internet interface
nat (inside,outside) after-auto source dynamic Internet interface
The reason why I prefer removing the Dynamic PAT for Internet users and changing its configuration format is because at its current form its overriding all other NAT configurations because its configured as the higher priority NAT configuration which it really shouldnt be. By adding the "after-auto" the Dynamic PAT will still work for all the LAN users but wont interfere with the other NAT configurations like its doing now
Hope this clarifies the situation
- Jouni
10-01-2013 11:45 AM
Hi,
It requires you to configure a bit unusual NAT configuration and you will also have to confirm that you have a certain setting enabled.
So first you will have to confirm that you have the configuration "same-security-traffic permit intra-interface". You can show the settings with "show run same-security-traffic" command for example. This command/setting will allow the ASA to have a connection incoming and leaving through the same interface. In this case that interface would seem to be "inside".
The actual NAT configuration will be between the "inside" and "inside" interface. It will both translate the source address of the user to the "inside" interface IP address (server will see connection coming from the ASA interface IP address rather than the host directly. This is important for traffic to flow correctly with regards to the ASA) and also do the Static NAT required by the server.
Here is a NAT configuration that should work for your situation
object network SERVER-PUBLIC
host 1.1.1.1
object network SERVER-LOCAL
host 192.168.115.33
object network LAN
subnet 192.168.115.0 255.255.255.0
nat (inside,inside) source dynamic LAN interface destination static SERVER-PUBLIC SERVER-LOCAL
Hope this helps
Please do remember to mark a reply as the correct answer if it answered your question.
Feel free to ask more if needed
- Jouni
10-01-2013 02:08 PM
Hi JouniForss thanks for your help.
I applied the comands like you said, but I can not connect yet.
I have the "same-security-traffic permit intra-interface" command and these are my nat and objects:
object network www
host 192.168.115.32
object network ip_publica_servicios
host 187.157.145.182
object network 115
subnet 192.168.115.0 255.255.255.0
object-group network Internet
description Vlans permitidas a internet
network-object 192.168.111.0 255.255.255.0
network-object 192.168.112.0 255.255.255.0
network-object 192.168.115.0 255.255.255.0
network-object 192.168.88.0 255.255.255.0
nat (inside,outside) source dynamic Internet interface
nat (inside,outside) source static any any destination static usuarios_vpn usuarios_vpn no-proxy-arp route-lookup
nat (inside,inside) source dynamic 115 interface destination static ip_publica_servicios www
!
object network www
nat (inside,outside) static ip_publica_servicios service tcp www www
Do you think that the other nat can cause the problem?
10-01-2013 02:16 PM
Hi,
The problem is with the order of the NAT configurations.
You have 2 options to make this work
I would rather use the second option though you might want to use the first if you dont want to cause any problems for Internet users (even though its a small outage in the connections)
First option can be done in the following way
no nat (inside,inside) source dynamic 115 interface destination static ip_publica_servicios www
nat (inside,inside) 1 source dynamic 115 interface destination static ip_publica_servicios www
The second option which I prefer would be done in this way
no nat (inside,outside) source dynamic Internet interface
nat (inside,outside) after-auto source dynamic Internet interface
The reason why I prefer removing the Dynamic PAT for Internet users and changing its configuration format is because at its current form its overriding all other NAT configurations because its configured as the higher priority NAT configuration which it really shouldnt be. By adding the "after-auto" the Dynamic PAT will still work for all the LAN users but wont interfere with the other NAT configurations like its doing now
Hope this clarifies the situation
- Jouni
 
					
				
				
			
		
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide