ASA: Question about static public IP accessing

Unanswered Question
Sep 12th, 2007
User Badges:

Hi there,


Is it possible to access a server located at the DMZ using its public IP address (static nat), from a server in the same DMZ or another station in another network interface (inside or management)? Will that be possible in the ASA?


My customer states that it can be done on Check Point firewalls.


Any feedback is highly appreciated.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
acomiskey Wed, 09/12/2007 - 11:28
User Badges:
  • Green, 3000 points or more

Yes. But it will be one or the other, not both. It is called destination NAT.


DMZ server public ip = 1.1.1.1

DMZ server ip = 192.168.1.1


To access from inside...


static (dmz,inside) 1.1.1.1 192.168.1.1 netmask 255.255.255.255


To access it from another DMZ machine you must use hairpinning. DNS doctoring will only work if you're trying to resolve it, not using an ip.


Hairpinning Example


http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968d1.shtml#solution2

jopontes Wed, 09/12/2007 - 11:44
User Badges:

D-NAT is not a option for the customer, since he needs to actually go out and go back in the same interface.


I had used hairpinning for in a VPN client and lan-2-lan environment, but I did'nt think it as a solution for this scenario.


I'll try that and I'll post here again with my findings. Thanks a lot!

acomiskey Wed, 09/12/2007 - 11:54
User Badges:
  • Green, 3000 points or more

"D-NAT is not a option for the customer, since he needs to actually go out and go back in the same interface"


-I posted an example for inside to dmz using d-nat. The other example (hairpin) was for dmz to dmz.

Actions

This Discussion