04-18-2011 09:25 AM - edited 03-04-2019 12:06 PM
hi All,
I have a cisco asa cluster.
INSIDE - 10.10.10.0/24
DMZ - 172.16.0.0/24
OUTSIDE - 192.168.100.0/24
I have a static nat which nats a server in the dmz address to a public facing IP address.
My inside users have a requirement to be able to connect to the external address of the DMZ server (as its hard coded in a website)
I can not get this working. What do I need to do to get this working please?
Many thanks
04-18-2011 12:45 PM
Are you using your own name server for address resolution or does your provider provide that service?
If yes for your own DNS server, in which zone is it located?
Did you try not to use the DNS and instead use the IP address itself ?
Regards,
04-18-2011 01:13 PM
They are unable to access the external ip address because it's being denied by the ASA for ip spoofing, you will be seeing a lot of packet dropped because of ip spoof from inside messages in the ASA logs.
Please post the nat configuration for server ( X.X the last two octet of the public ip's ) and post the output of :-
1> sh run global
2> sh run nat
I am assuming that you are using asa code 8.2 or lower, since it changes completely with 8.3 and higher.
Manish
04-19-2011 01:28 AM
Thanks for the replies. I can not use DNS to get around this as its using IP only.
Here is the output you requested
fw-cluster/act# sh run global
global (OUTSIDE) 1 interface
fw-cluster/act#
fw-cluster/act#
fw-cluster/act#
fw-cluster/act# sh run nat
nat (DMZ1) 0 access-list DMZ1_nat0_outbound
nat (TRANSIT) 0 access-list nonat_acl
nat (TRANSIT) 1 192.168.204.51 255.255.255.255
nat (TRANSIT) 1 192.168.0.0 255.255.255.0
nat (TRANSIT) 1 192.168.194.0 255.255.255.0
nat (TRANSIT) 1 192.168.201.0 255.255.255.0
nat (TRANSIT) 1 192.168.204.0 255.255.255.0
nat (Wireless_HSP) 1 192.168.254.0 255.255.255.0
I have a static nat for this host
static (DMZ1,HEANET) x.x.x.x 172.16.0.51 netmask 255.255.255.255
I have also added a nat (dmz1) 1 172.16.0.0 255.255.255.0 but it did not make any difference.
the asdm logs are allowing the connection - I am not seeing any drops.
thanks
04-19-2011 11:05 AM
Do you have interface named HEANET as well ? is your static nat work from the outside world ?
Manish
04-20-2011 02:00 AM
sorry the heanet should be "outside" also
04-20-2011 09:18 AM
K, you have two options :-
option 1 :-
remove :-
asa(config)# no static (DMZ1,OUTSIDE) x.x.x.x 172.16.0.51 netmask 255.255.255.255
add :-
asa(config)#static (DMZ1,OUTSIDE) x.x.x.x 172.16.0.51 netmask 255.255.255.255 dns
also know as dns doctoring.
Option 2 :-
Dnat :-
add another statement :-
asa(config)#static (dmz1,inside) x.x.x.x 172.16.0.51 netmask 255.255.255.255
Please check this link out for further info :-
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968c8.shtml
Manish
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide