cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

1815
Views
0
Helpful
1
Replies
Highlighted
Beginner

Webserver and NAT (can access from outside, not inside)

I have a 5515-X ASA and we are working on setting up a webserver that whould be accessible from the outside as weel as the inside.

The NAT rule allowing the webserver that is located on an internal LAN to be successful when accessing from the outside.

Now when I try to access the server from a system on the internal LAN i am unable to do so unless i use the internal address.

Not the end of the world right now as we are only in production, but it would be nice to only have to worry about the public IP as it is registered with DNS so.

here is the nat rule

    nat (outside,inside) 1 source static any any destination static Webserver-Public Webserver-Private service https https

Thanks for any assistance.

Everyone's tags (5)
1 REPLY 1
Highlighted
Mentor

Re: Webserver and NAT (can access from outside, not inside)

Hi,

If you want both

Static NAT the Server local IP to a Public IP

AND

NAT the Server so that it can be reached from the LAN with the public IP address

Then you could use the following types of configurations

Static NAT from LAN to WAN

object network SERVER-STATIC

host 10.0.0.200

nat (LAN,WAN) static 1.2.3.4

Where

  • 10.0.0.200 = Server local IP address
  • 1.2.3.4 = Public IP address dedicated for this server
  • LAN and WAN = Inside and Outside interfaces

Dynamic Policy PAT coupled with the Static NAT (Twice NAT) for the Server for LAN users

object network LAN

subnet 10.0.0.0 255.255.255.0

object network SERVER-LOCAL

host 10.0.0.200

object network SERVER-GLOBAL

host 1.2.3.4

nat (LAN,LAN) source dynamic LAN interface destination static SERVER-GLOBAL SERVER-LOCAL

Where

  • 10.0.0.0/24 = Is the LAN network
  • 10.0.0.200 = Is the server local IP address
  • 1.2.3.4 = Is the server public IP address

The first NAT configuration is a simple Static NAT using "Network Object NAT" and its only purpose is to NAT the server local IP address to a public IP address for users on the Internet.

The second NAT configuration is a Dynamic Policy PAT with also the Static NAT done with a Twice NAT / Manual NAT configuration.

The way it works is that when the ASA sees a connection coming from the network LAN to the Public IP address then it will PAT the LAN users to the interface LAN IP address and it will also UN-NAT the public IP address to the local IP address of the server. This will enable you to connect to the server using the public IP address even from the LAN.

Hope I made any sense. Please do ask more if I didnt

Hope this helps

- Jouni