Solved: Static Nat Issue?

integrixSS · ‎05-13-2013

Dear Team,

I am not able to access the web server with its public ip address when we want to access it from our local network.But there are no issue with the public network.I have configured the below mentioned configuration in the firewall:-

ASA5585

IOS ver 8.4(4)

object network local1

host 192.168.250.5

nat (inside,outside) static 117.239.93.250

object network local

subnet 192.168.250.0 255.255.255.0

nat (inside,outside) dynamic interface

access-list out extended permit tcp any host 117.239.93.250 eq www

access-group out in interface outside

Please suggest does ASA support to access the webserver with its public IP address from our local network or not.

Regards,

Sandeep

Jouni Forss · ‎05-13-2013

Hi,

Atleast with the above ACL the connection even from the "outside" networks shouldnt work as you are using the public NAT IP in the ACL. You should use the local IP address.

You will have to play around with the NAT on the ASA to enable the use of the public IP address directly from the LAN network

You could try something like this

object-group network WEB-SERVER-LAN-SOURCE

network-object 192.168.250.0 255.255.255.0

object network WEB-SERVER-PUBLIC

host 117.239.93.250

object network WEB-SERVER-LOCAL

host 192.168.250.5

nat (inside,inside) 1 source dynamic WEB-SERVER-LAN-SOURCE interface destination static WEB-SERVER-PUBLIC WEB-SERVER-LOCAL

same-security-traffic permit intra-interface

Naturally the final configuration could look different depending on the whole setup. If there are for example more LAN networks that need to access the public IP address.

Hope this helps

Please remember to mark the reply as the correct answer if it answered your question. And/or rate helpfull answers.

Or ask more if needed

- Jouni

View solution in original post

Jouni Forss · ‎05-13-2013

Hi,

Atleast with the above ACL the connection even from the "outside" networks shouldnt work as you are using the public NAT IP in the ACL. You should use the local IP address.

You will have to play around with the NAT on the ASA to enable the use of the public IP address directly from the LAN network

You could try something like this

object-group network WEB-SERVER-LAN-SOURCE

network-object 192.168.250.0 255.255.255.0

object network WEB-SERVER-PUBLIC

host 117.239.93.250

object network WEB-SERVER-LOCAL

host 192.168.250.5

nat (inside,inside) 1 source dynamic WEB-SERVER-LAN-SOURCE interface destination static WEB-SERVER-PUBLIC WEB-SERVER-LOCAL

same-security-traffic permit intra-interface

Naturally the final configuration could look different depending on the whole setup. If there are for example more LAN networks that need to access the public IP address.

Hope this helps

Please remember to mark the reply as the correct answer if it answered your question. And/or rate helpfull answers.

Or ask more if needed

- Jouni

integrixSS · ‎05-13-2013

Dear Jouni,

Thanks, its working for me.I just enter the below mentioned configuration as you suggested but I did not change access-list

object network Local_network

subnet 192.168.250.0 255.255.255.0

exit

object network Ereturn_Local

host 192.168.250.5

exit

object network Ereturn_Public

host 117.239.93.146

exit

nat (inside,inside) source dynamic Local_network interface destination static Ereturn_Public Ereturn_Local

Please also suggest if I have one more lan interface(.ie DMZ), then what command I have to assign to access the webserver with public IP address form DMZ Lan network.

Regards,

Rajesh

Jouni Forss · ‎05-13-2013

Hi,

With regarding the traffic to the web server from another interface we would have to first know does ANY host on the DMZ have the need to communicate with the server with its local/private IP address?

If not then the configuration should be simple (and I can provide it after the above situation is confirmed either way)

If the server needs to be reached with local IP address also then the configuration might be slightly more complicated or in some cases even impossible.

Let me know the answer to the above and we will look at the configuration needed.

- Jouni

integrixSS · ‎05-13-2013

Hi,

We have one subnet (192.168.200.0/24) in DMZ which needs to communicate with the web server with public IP address.

Regards,

Rajesh

Jouni Forss · ‎05-13-2013

Hi,

Well if the DMZ does not have any need to contact the Web server with its local IP address then you can use this configuration

object network DMZ

subnet 192.168.200.0 255.255.255.0

object network WEB-SERVER-PUBLIC

host 117.239.93.250

object network WEB-SERVER-LOCAL

host 192.168.250.5

nat (inside,dmz) 2 source static WEB-SERVER-LOCAL WEB-SERVER-PUBLIC destination static DMZ DMZ

Or you might be able to configure it as easily as by configuring the following

object network WEB-SERVER

host 192.168.250.5

nat (inside,dmz) static 117.239.93.250

Let us know does it work or not.

And again remember to mark replys as correct if they answered the question and/or rate helpfull answers

- Jouni

integrixSS · ‎05-16-2013

Hi Jouni,

Thanks, both options are good and its working for me.

Regards,

Rajesh