02-04-2009 02:13 PM - edited 03-11-2019 07:46 AM
Hello All:
I did a search for past responses but nothing gave a definate response. I was hoping someone could enlighten me with a push in the right direction to getting the proper config for this scenario.
I have a test lab, there is a single ASA 5510 with outside interface (192.168.250.1/24), and inside interface (172.20.40.74/24) and DMZ (172.18.1.1/24). On the DMZ, I have a system listening on Port 80. with the NAT 0 statement, I can get to the DMZ from the inside interface to port 80 to the test system. What I can not do is use the static statement to hairpin the traffic to the 172.18.1.5 system listening on port 80.
This is the NAT and Static config.
access-list inbound-outside extended permit tcp any host 192.168.250.5 eq www
access-list inside_nat0 extended permit ip 172.20.40.0 255.255.255.0 172.18.1.0 255.255.255.0
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0
nat (inside) 1 172.20.40.0 255.255.255.0
static (http,outside) 192.168.250.5 172.18.1.5 netmask 255.255.255.255
access-group inbound-http in interface http
access-group inbound-outside in interface outside
When I try to get to 192.168.250.5 from the inside system 172.20.40.71, this is what I see in the log and it times out waiting.
%ASA-7-609001: Built local-host inside:172.20.40.71
%ASA-7-609001: Built local-host outside:192.168.250.5
%ASA-6-305011: Built dynamic TCP translation from inside:172.20.40.71/1606 to outside:192.168.250.1/1024
%ASA-6-302013: Built outbound TCP connection 493 for outside:192.168.250.5/80 (192.168.250.5/80) to inside:172.20.40.71/1606 (192.168.250.1/1024)
%ASA-6-302014: Teardown TCP connection 493 for outside:192.168.250.5/80 to inside:172.20.40.71/1606 duration 0:00:30 bytes 0 SYN Timeout
%ASA-7-609002: Teardown local-host outside:192.168.250.5 duration 0:00:30
How can I get the hosts in the inside to access hosts on the DMZ using the Outside configured static IP so there is no need for Split DNS and we could just use the external IP's to connect to systems on the DMZ.
Thanks for your help in advance.
Frank
Solved! Go to Solution.
02-04-2009 04:19 PM
How can I get the hosts in the inside to access hosts on the DMZ using the Outside configured static IP so there is no need for Split DNS and we could just use the external IP's to connect to systems on the DMZ.
Hi,
so you have to access 172.18.1.5 via outside using 192.168.25.5
static (http,outside) 192.168.250.5 172.18.1.5 netmask 255.255.255.255
to access 192.168.25.5 from inside you need:(assuming DMZ interface nameif is http)
static (http, inside) 192.168.25.5 172.18.1.5 netmask 255.255.255.255
to access 192.168.25.5 from same http interface this is hairlining and you need
same-security-traffic permit intra-interface
static (http,http) 192.168.25.5 172.18.1.5 netmask 255.255.255.255
Regards
PLS rate any helpful posts if it helps
02-04-2009 04:19 PM
How can I get the hosts in the inside to access hosts on the DMZ using the Outside configured static IP so there is no need for Split DNS and we could just use the external IP's to connect to systems on the DMZ.
Hi,
so you have to access 172.18.1.5 via outside using 192.168.25.5
static (http,outside) 192.168.250.5 172.18.1.5 netmask 255.255.255.255
to access 192.168.25.5 from inside you need:(assuming DMZ interface nameif is http)
static (http, inside) 192.168.25.5 172.18.1.5 netmask 255.255.255.255
to access 192.168.25.5 from same http interface this is hairlining and you need
same-security-traffic permit intra-interface
static (http,http) 192.168.25.5 172.18.1.5 netmask 255.255.255.255
Regards
PLS rate any helpful posts if it helps
02-06-2009 10:35 AM
Frank, is your problem resolved with my suggestion, if not let us know to assist you fruther.
Regards
02-06-2009 11:24 AM
I did not get a chance to try it until this morning. It tuns out the
Static (http,inside) 192.168.250.5 172.18.1.5 entry worked.
when I used packet-tracer from the ASA, it showed the UN-NAT and started directing the traffic to the HTTP interface properly..
UN-NAT, I never seen that before. Great to learn something new on this ASA.
Thanks
Frank
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: