Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4295
Views
5
Helpful
5
Replies

ASA-how to access internal server by public address in inside network

Go to solution
junxu2
Cisco Employee
Cisco Employee

‎10-14-2007 05:27 PM - edited ‎03-11-2019 04:25 AM

Hi,

I meet one issue by using ASA5550.

There are 2 interfaces which is configured in firewall, one is acted as inside and other is acted as outside. I configured static PAT from outside to inside and map one public address to internal e-mail server and dynamic PAT frame inside to outside.

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp 212.x.x.1 https 10.x.x.1 https netmask 255.255.255.255

212.x.x.1 is public address which present e-mail server in public network

10.x.x.1 is private address which is e-mail server in private(inside) network

ip address of outside interface is 219.x.x.2/252

1, when I access e-mail server from public network ,it work fine; when I access e-mail server in inside network by using private address 10.x.x.1, it work fine

2, But when I access e-mail server in private(inside) network by using public address 212.x.x.1, it can not work.

I don't know why it is. pls help me to check it.

Thanks

Jun Xu

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
JORGE RODRIGUEZ
Level 10
Level 10

‎10-14-2007 07:08 PM

you need enabling DNS doctoring or hairpining, refer to this link for more details.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968d1.shtml#intro

HTH

Jorge

Jorge Rodriguez

View solution in original post

0 Helpful
5 Replies 5

Go to solution
JORGE RODRIGUEZ
Level 10
Level 10

‎10-14-2007 07:08 PM

you need enabling DNS doctoring or hairpining, refer to this link for more details.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968d1.shtml#intro

HTH

Jorge

Jorge Rodriguez
0 Helpful

Go to solution
junxu2
Cisco Employee
Cisco Employee
In response to JORGE RODRIGUEZ

‎10-14-2007 10:32 PM

Hi Jorge

Thanks for your reply!

That is good method to solve issue of some applications which used DNS to get ip address. But if some application use public ip address of e-mail server to access in inside world, the problem will be occurred. In customer site , some users just do like this.

How can we solve?

Thanks

Jun

0 Helpful

Go to solution
JORGE RODRIGUEZ
Level 10
Level 10
In response to junxu2

‎10-15-2007 06:30 AM

Jun, go over this thread as there is a conversation on exactly your issue.. you are still looking a hairpinning.

http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Security&topic=Firewalling&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.1ddecce5

Jorge Rodriguez
0 Helpful

Go to solution
acomiskey
Level 10
Level 10
In response to JORGE RODRIGUEZ

‎10-15-2007 07:44 AM

same-security-traffic permit intra-interface

static (inside,inside) tcp 212.x.x.1 https 10.x.x.1 https netmask 255.255.255.255

global (inside) 1 interface

nat (inside) 1 0 0

Go to solution
junxu2
Cisco Employee
Cisco Employee
In response to acomiskey

‎10-17-2007 09:15 PM

it is good solution in my customer site.

Thanks all of your help.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card