cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
446
Views
0
Helpful
3
Replies

Problem with Port Forwarding on ASA 5505

Johan Carlsson
Level 1
Level 1

Hello,

I have a setup where I have:

- outside interface that has one IP address (from ISP)

- inside interface with clients on the 10.0.0.0 IP-range

- dmz interface with servers on the 192.168.17.0 IP-range

I have a setup with port forwarding where it is possible to access different servers (webserver, SSH-server, mailserver, ...). This is working really well for external clients, but if I try to connect to any of the servers from a client computer located on the inside interface using the IP address of the outside interface traffic is blocked by implicit access rule, so I have missed some step in this configuration and can not figure out which. Any help would be much appreciated.

An example to illustrate my problem

Say my outside IP address is: 198.198.198.198

My webserver on the dmz interface has IP address 192.168.17.3

A client computer with IP address 145.145.145.145 (on the internet) can access my webserver using a webbrowser and http://198.198.198.198 This is working like a charm

A client located on my inside interface with IP address 10.0.0.34 can access the webserver using a webbrowser and http://192.168.17.3 but it does not work with http://198.198.198.198

What rule am I missing?

Best Regards

Johan

3 Replies 3

It works as designed (but for sure not as expected) on the ASA ... There are different ways to solve that problem:

  1. DNS doctoring. This solution is my favorite, but is not available in your case where you use one IP to forward multiple ports to multiple servers.
  2. Use an internal FQDN that points to the DMZ-IP to access that server. Or use the external FQDN and configure your DNS to provide the DMZ-IP to your internal clients.
  3. Configure destination NAT that translates the public IP to the DMZ-IP when your internal clients access that server.

Hi Karsten,

Thank you for your answer.

Do you by any chance have an instruction of how to perform destination NAT as you describe in 3?

The main reason I need this to work is that I have a mailserver on the DMZ and I want my wifi-clients to be able to check mail using the external IP-address (or DNS-name that is bound to that IP to be more specific) regardless if they are on my wifi network or somewhere else.

Best Regards

Johan

I didn't use it that way for a long time, as I would prefer to place an extra DNS-server for the guests. If I remember right, the NAT should look like the following:

object network SERVER-REAL
 host 192.168.17.3
object network SERVER-PUBLIC
 host 198.198.198.198
!
nat (inside,dmz) 1 source dynamic any any destination static SERVER-PUBLIC SERVER-REAL
Review Cisco Networking for a $25 gift card