We have an exchange server which clients from internal subnets would like to access by establishing connection to an public IP address which is NATed of 220.127.116.11 (this is fake IP).
External clients can establish connection to public IP, internal clients to internal IP however when internal clients try to access it via public IP, connection will simply time-out.
I have created an entry in host file for internal clients and we can resolve the server domain name to the correct ip 18.104.22.168 (this is fake IP) however the connection will time-out.
We have Cisco ASA 5510 which filters all the outbound & inbound connections and our Cisco routers (1941/K9 & 2821) do not have any ACL's in terms of traffic filtering. NAT is also performed by ASA 5510.
Guys, what am I missing here? reverse NAT?
You're trying to reach a NAT address. The firewall creates this translation. By default, you will not be able to reach that IP internally which I'm confused why you would need to?
You would need to perform some type of hairpin where you go out and come back in. Also, you could assign a public IP to the server directly.
It might be confusing and I agree that this is not the best way of achieving this, however changes in our environment will require clients to connect to the server this way as a temporary solution.
How would you achieve this without assigning public IP to the server directly? We still want to NAT it on the ASA and allow this type of connectivity.
I am sure that there is a way of doing that.
There are several ways to achieve this. An easy one:
Make sure that your Exchange-Server uses a NAT-translation with only the IP and not any port-numbers. There you can enable "dns doctoring":
object network EXCHANGE host 10.10.10.10 nat (inside,outside) static 22.214.171.124 dns
If the DNS-requests will also flow through this ASA, then the ASA will replace the public IP 126.96.36.199 in the DNS-replies with the internal IP of the server.
Thanks for your reply.
object network 10.10.10.1 nat (inside,outside) static 188.8.131.52 object network 10.10.10.2 nat (inside,outside) static 184.108.40.206 object network 10.10.10.3 nat (inside,outside) static 220.127.116.11 object network 10.10.10.10 nat (any,any) static 18.104.22.168
First of all, do you know why object network 10.10.10.10 is configured any,any isntead of inside,outside if all of them are the exchange servers are there is no difference in terms of connectivity etc? It was done by someone else and I can't find any reason to why.
Plus obviously we have extended ACL's for outside access to those IP addresses for services like HTTPS, RDP, SMTP etc.
I am confused with the DNS entry at the end of the NAT rule you have shown me. Is that all that needs to be added to allow internal to external IP conenctivity? I don't understand how that works and what it does.
The "(any,any)" is most likely resulted by the lazyness of the person who configured it in ASDM. The interface options are only available after opening the advanced settings.
IMO it's a better config to always specify the interfaces unless you know that you want that translation to work on multiple interfaces. And that's more often the case with dynamic NAT but rarely with static NAT.
Here is an explanation of what DNS doctoring does: