Allow to NAT'ed hosts to talk via external IP (using ASA 5520)

jason.harper · ‎08-31-2011

Hello!

I have two hosts behind an ASA on a private network. Both hosts are NAT'ed (each has a unique public IP). I need Host A to be able to talk to Host B through their respective external IP's. How do I achieve this?

Thank you!

andrew.prince · ‎08-31-2011

Are you takling about DNS resolution of the outside NAT IP address?

jason.harper · ‎08-31-2011

Correct. There's an application running on Host A that does a look up for Host B and it uses the external IP for Host B. They can of course communicate with one another on the private interface but I also need them to be communicate with one other across the public interface.

andrew.prince · ‎08-31-2011

OK - DNS Doctoring or DNS rewrite as it's known. See the below url

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/inspect_basic.html#wp1350877

HTH>

jason.harper · ‎08-31-2011

Thank you! Ok, I've enabled this and now when I do an nslookup from Host A for Host B, it correctly gives me the internal IP instead of the external IP.

However, if I try to ping Host B by name or navigate to the website that Host B is running using the DNS name, it still tries to go to the external IP. Am I missing a step?

Thanks!

jason.harper · ‎08-31-2011

I think I just solved. Had to enable the inspect maps for ICMP and HTTP along with DNS and not seems to be working!