Trying to get an external IP mapped to internal server in DMZ? (ASA 5506)

btramer29 · ‎05-31-2017

So, I've got a DMZ interface configured, and I've got a host inside it, I'll call it Webserver1. I've got most of it working, however I cannot get the external IP address to map correctly to Webserver1, pinging it gives me nothing and of course I can't connect to it via web browser.

Here is basically what I have added so far:

object network Webserver1
host 10.1.1.1

object network Webserver1-external-IP

host 100.1.1.1

object network DMZ-int
nat (DMZ,outside) dynamic interface

object network Webserver1
nat (DMZ,outside) static Webserver1-external-IP service tcp www www

access-list DMZ-ext extended permit tcp any object Webserver1 eq www
access-list DMZ-ext extended permit tcp any object Webserver1 eq https

access-group DMZ-ext in interface outside

Just want to see if there is something that I obviously missed?

Jon Marshall · ‎06-01-2017

Can you post a "sh nat"

Jon

btramer29 · ‎06-02-2017

Auto NAT Policies (Section 2)

1 (DMZ) to (outside) source static Webserver1 Webserver1-external-IP service tcp www www
translate_hits = 0, untranslate_hits = 139

2 (DMZ) to (outside) source dynamic DMZ-int interface
translate_hits = 7678, untranslate_hits = 9

I think this is the relevant portion of that command's output.

muhammadusman77 · ‎06-02-2017

you may try this command instead:

nat (DMZ,outside) static Webserver1-external-IP Webserver1 service tcp www www

btramer29 · ‎06-03-2017

I figured it out, "rookie" mistake. The internal site runs over https/443 not port 80 :)

Just went through it and it jumped out at me right away (must've been staring at it too long the other night).

That said, I just changed:

object network Webserver1
nat (DMZ,outside) static Webserver1-external-IP service tcp www www

To:

object network Webserver1
nat (DMZ,outside) static Webserver1-external-IP service tcp https https

And voila, it works!