Connect to outside ip from inside network

Unanswered Question
Jul 27th, 2007

I just replace a clients PIX with an ASA 5510. They weren't using static nats and had all their servers set up with dual NICs. One connected to the internet and one to their inside network. Now that the ASA is in place, they are using static nats . However, one of their apps that they use on the internal network connects to an internet IP. It's hard coded and cannot be changed. So, now when they try to connect, it does not work. Is there any way to get this to work with the ASA?



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
acomiskey Fri, 07/27/2007 - 18:39

Sure, but where is the destination? If it's on the dmz and the request is coming from the inside you can do destination nat.

static (dmz,inside) public.ip private.ip netmask

Or if the destination is on the inside along with the source then you have to hairpin.

same-security-traffic permit intra-interface

static (inside,inside) public.ip private.ip netmask

nat (inside) 1 0 0

global (inside) 1 interface

Please rate helpful posts.

deyster94 Fri, 07/27/2007 - 18:46

They want to connect to an IP on the outside of the firewall that is natted back inside.

for example:

ftp to: which is natted to on the inside and make this connection from the internal network

So, for a destination nat, they would do:

static (outside,inside) netmask ?

acomiskey Mon, 07/30/2007 - 04:35

So if you have something like

static (inside,outside) x.x.x.x y.y.y.y netmask

and the connection from inside is to x.x.x.x then you would use the hairpinning method I referenced above.


This Discussion