12-18-2011 08:03 AM - edited 03-11-2019 03:03 PM
Hi
i have ASA 5510 version 8.3, i have a server in my internal network and published the HTTP service (so i configured NAT for this server).
the server public IP is accessable from the internet but its not accessable from the internal network.
although its accessable using its private IP address from the internal network.
any one has an explanation.....
Thanks
Solved! Go to Solution.
12-20-2011 08:22 AM
Mahmoud,
You can try this
nat (inside,dmz) source dynamic any interface destination static d-nat real-ip service tcp_80 tcp_80
Where dnat is public ip address of the server and real-ip is the ip address of the server in DMZ.
Puneet
12-18-2011 08:13 AM
Hi Mahmoud,
What you are trying to do is called u-turning on the ASA, you would need to put teh following configuration for it:
Lets assume that your server's public ip is 1.1.1.1 and private ip is 10.1.1.1
object network public
host 1.1.1.1
object newtork private
host 10.1.1.1
object service tcp_443
service tcp destination eq 443
nat (inside,inside) source static any interface destination static public private service tcp_443 tcp_4443
same-security-traffic permit intra-interface
sysopt noproxyarp inside
and it should work after this.
Let me know how it goes.
Hope that helps.
Thanks,
Varun
Please do rate helpful posts
12-19-2011 12:53 AM
Hi Varun
thank you for your reply.
the exact setup is as below,
- there are three zones; inside, outside, DMZ
- the published server is in DMZ Zone.
- the server is published using the outside interface IP address.
- the users trying to access the server using the public IP address from the inside zone.
so how will be the configuration in this way?
i tried the following but didnt success;
(
object network obj-10.0.3.10
host 10.0.3.10
object service tcp_80
service tcp destination eq www
nat (inside,dmz) source static any interface destination static interface obj-10.0.3.10 service tcp_80 tcp_80
sysopt noproxyarp inside
same-security-traffic permit inter-interface
)
Thanks
12-19-2011 04:57 AM
Hi varun,
Can u brief me regarding sysoptnoproxyarp command
12-20-2011 08:22 AM
Mahmoud,
You can try this
nat (inside,dmz) source dynamic any interface destination static d-nat real-ip service tcp_80 tcp_80
Where dnat is public ip address of the server and real-ip is the ip address of the server in DMZ.
Puneet
12-22-2011 12:59 AM
Dear Puneet
it worked.
Thank you all
12-22-2011 01:05 AM
Hi Mahmoud,
Nice to hear that it worked.
Please find this DOC on how to achieve the same.
https://supportforums.cisco.com/docs/DOC-21602
Puneet
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide