11-25-2008 09:53 AM - edited 03-11-2019 07:18 AM
Hi,
I have following szenario:
I want to reach a outside host under its original address and its NAT address at it seems to the inside world.
(Host in the DMZ ist translated to the Inside Interface with a Static NAT rule).
It is possible to reach this host from Inside under the NAT and Original IP address?
Regards,
Dirk
11-25-2008 10:04 AM
Please clarify your scenario so that I can
understand your requirements.
In general, NAT on Pix/ASA is not as flexible
as say Juniper or Checkpoint firewall.
11-25-2008 10:18 AM
----Inside--ASA---DMZ---Host
The host is translated to the inside Network an can be reached by the translated address.
I would like that hosts in the Inside Network should reach the Host in the DMZ under their original and also translated address.
At the moment it is working only with the translated address. I have already configured an exemption rule but it is not working. In the syslog file I see that I have no matching translation rule.
11-25-2008 10:25 AM
Can't be done an ASA appliance.
Get a checkpoint firewall and it can do the
trick for you.
11-25-2008 02:17 PM
And do you know why?
There's one book that shows the NAT order of operation as being first check NAT exemption, then static NAT.
Let us know.
11-25-2008 02:58 PM
I did some research and yes its possible.
You need to define 2 static policy nat.
example:
real ip on DMZ 20.20.20.20
nat ip on inside 192.168.100.20
Make sure you configure the correct order:
static (DMZ,inside) 192.168.100.20 access-list acl_policy1
static (DMZ,inside) 20.20.20.20 access-list acl_policy2
access-list acl_policy1 extended permit ip host 20.20.20.20 any
access-list acl_policy2 extended permit ip host 20.20.20.20 any
Telnet from a client on the inside network to the DMZ server using both IPs natted and real.
client#192.168.100.20 80
Trying 192.168.100.20, 80 ... Open
get
HTTP/1.1 400 Bad Request
Date: Mon, 01 Mar 1993 03:41:13 GMT
Server: cisco-IOS
Accept-Ranges: none
400 Bad Request
[Connection to 192.168.100.20 closed by foreign host]
client#20.20.20.20 80
Trying 20.20.20.20, 80 ... Open
get
\HTTP/1.1 400 Bad Request
Date: Mon, 01 Mar 1993 03:41:21 GMT
Server: cisco-IOS
Accept-Ranges: none
400 Bad Request
[Connection to 20.20.20.20 closed by foreign host]
client#
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: