ASA-how to access internal server by public address in inside network

Answered Question
Oct 14th, 2007
User Badges:
  • Cisco Employee,

Hi,

I meet one issue by using ASA5550.

There are 2 interfaces which is configured in firewall, one is acted as inside and other is acted as outside. I configured static PAT from outside to inside and map one public address to internal e-mail server and dynamic PAT frame inside to outside.


global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp 212.x.x.1 https 10.x.x.1 https netmask 255.255.255.255

212.x.x.1 is public address which present e-mail server in public network

10.x.x.1 is private address which is e-mail server in private(inside) network

ip address of outside interface is 219.x.x.2/252


1, when I access e-mail server from public network ,it work fine; when I access e-mail server in inside network by using private address 10.x.x.1, it work fine



2, But when I access e-mail server in private(inside) network by using public address 212.x.x.1, it can not work.


I don't know why it is. pls help me to check it.


Thanks

Jun Xu

Correct Answer by JORGE RODRIGUEZ about 9 years 6 months ago

you need enabling DNS doctoring or hairpining, refer to this link for more details.


http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968d1.shtml#intro


HTH

Jorge

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
junxu2 Sun, 10/14/2007 - 22:32
User Badges:
  • Cisco Employee,

Hi Jorge


Thanks for your reply!

That is good method to solve issue of some applications which used DNS to get ip address. But if some application use public ip address of e-mail server to access in inside world, the problem will be occurred. In customer site , some users just do like this.

How can we solve?


Thanks

Jun



acomiskey Mon, 10/15/2007 - 07:44
User Badges:
  • Green, 3000 points or more

same-security-traffic permit intra-interface

static (inside,inside) tcp 212.x.x.1 https 10.x.x.1 https netmask 255.255.255.255

global (inside) 1 interface

nat (inside) 1 0 0

junxu2 Wed, 10/17/2007 - 21:15
User Badges:
  • Cisco Employee,

it is good solution in my customer site.

Thanks all of your help.

Actions

This Discussion