10-29-2016 02:14 AM - edited 03-12-2019 01:27 AM
Hello,
I have a setup where I have:
- outside interface that has one IP address (from ISP)
- inside interface with clients on the 10.0.0.0 IP-range
- dmz interface with servers on the 192.168.17.0 IP-range
I have a setup with port forwarding where it is possible to access different servers (webserver, SSH-server, mailserver, ...). This is working really well for external clients, but if I try to connect to any of the servers from a client computer located on the inside interface using the IP address of the outside interface traffic is blocked by implicit access rule, so I have missed some step in this configuration and can not figure out which. Any help would be much appreciated.
An example to illustrate my problem
Say my outside IP address is: 198.198.198.198
My webserver on the dmz interface has IP address 192.168.17.3
A client computer with IP address 145.145.145.145 (on the internet) can access my webserver using a webbrowser and http://198.198.198.198 This is working like a charm
A client located on my inside interface with IP address 10.0.0.34 can access the webserver using a webbrowser and http://192.168.17.3 but it does not work with http://198.198.198.198
What rule am I missing?
Best Regards
Johan
10-29-2016 02:31 AM
It works as designed (but for sure not as expected) on the ASA ... There are different ways to solve that problem:
10-29-2016 04:04 AM
Hi Karsten,
Thank you for your answer.
Do you by any chance have an instruction of how to perform destination NAT as you describe in 3?
The main reason I need this to work is that I have a mailserver on the DMZ and I want my wifi-clients to be able to check mail using the external IP-address (or DNS-name that is bound to that IP to be more specific) regardless if they are on my wifi network or somewhere else.
Best Regards
Johan
10-29-2016 04:32 AM
I didn't use it that way for a long time, as I would prefer to place an extra DNS-server for the guests. If I remember right, the NAT should look like the following:
object network SERVER-REAL
host 192.168.17.3
object network SERVER-PUBLIC
host 198.198.198.198
!
nat (inside,dmz) 1 source dynamic any any destination static SERVER-PUBLIC SERVER-REAL
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide