cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
850
Views
0
Helpful
3
Replies

Access external Static destined to DMZ from Inside Interface

connectone
Level 4
Level 4

Hello All:

I did a search for past responses but nothing gave a definate response. I was hoping someone could enlighten me with a push in the right direction to getting the proper config for this scenario.

I have a test lab, there is a single ASA 5510 with outside interface (192.168.250.1/24), and inside interface (172.20.40.74/24) and DMZ (172.18.1.1/24). On the DMZ, I have a system listening on Port 80. with the NAT 0 statement, I can get to the DMZ from the inside interface to port 80 to the test system. What I can not do is use the static statement to hairpin the traffic to the 172.18.1.5 system listening on port 80.

This is the NAT and Static config.

access-list inbound-outside extended permit tcp any host 192.168.250.5 eq www

access-list inside_nat0 extended permit ip 172.20.40.0 255.255.255.0 172.18.1.0 255.255.255.0

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0

nat (inside) 1 172.20.40.0 255.255.255.0

static (http,outside) 192.168.250.5 172.18.1.5 netmask 255.255.255.255

access-group inbound-http in interface http

access-group inbound-outside in interface outside

When I try to get to 192.168.250.5 from the inside system 172.20.40.71, this is what I see in the log and it times out waiting.

%ASA-7-609001: Built local-host inside:172.20.40.71

%ASA-7-609001: Built local-host outside:192.168.250.5

%ASA-6-305011: Built dynamic TCP translation from inside:172.20.40.71/1606 to outside:192.168.250.1/1024

%ASA-6-302013: Built outbound TCP connection 493 for outside:192.168.250.5/80 (192.168.250.5/80) to inside:172.20.40.71/1606 (192.168.250.1/1024)

%ASA-6-302014: Teardown TCP connection 493 for outside:192.168.250.5/80 to inside:172.20.40.71/1606 duration 0:00:30 bytes 0 SYN Timeout

%ASA-7-609002: Teardown local-host outside:192.168.250.5 duration 0:00:30

How can I get the hosts in the inside to access hosts on the DMZ using the Outside configured static IP so there is no need for Split DNS and we could just use the external IP's to connect to systems on the DMZ.

Thanks for your help in advance.

Frank

1 Accepted Solution

Accepted Solutions

JORGE RODRIGUEZ
Level 10
Level 10

How can I get the hosts in the inside to access hosts on the DMZ using the Outside configured static IP so there is no need for Split DNS and we could just use the external IP's to connect to systems on the DMZ.

Hi,

so you have to access 172.18.1.5 via outside using 192.168.25.5

static (http,outside) 192.168.250.5 172.18.1.5 netmask 255.255.255.255

to access 192.168.25.5 from inside you need:(assuming DMZ interface nameif is http)

static (http, inside) 192.168.25.5 172.18.1.5 netmask 255.255.255.255

to access 192.168.25.5 from same http interface this is hairlining and you need

same-security-traffic permit intra-interface

static (http,http) 192.168.25.5 172.18.1.5 netmask 255.255.255.255

Regards

PLS rate any helpful posts if it helps

Jorge Rodriguez

View solution in original post

3 Replies 3

JORGE RODRIGUEZ
Level 10
Level 10

How can I get the hosts in the inside to access hosts on the DMZ using the Outside configured static IP so there is no need for Split DNS and we could just use the external IP's to connect to systems on the DMZ.

Hi,

so you have to access 172.18.1.5 via outside using 192.168.25.5

static (http,outside) 192.168.250.5 172.18.1.5 netmask 255.255.255.255

to access 192.168.25.5 from inside you need:(assuming DMZ interface nameif is http)

static (http, inside) 192.168.25.5 172.18.1.5 netmask 255.255.255.255

to access 192.168.25.5 from same http interface this is hairlining and you need

same-security-traffic permit intra-interface

static (http,http) 192.168.25.5 172.18.1.5 netmask 255.255.255.255

Regards

PLS rate any helpful posts if it helps

Jorge Rodriguez

Frank, is your problem resolved with my suggestion, if not let us know to assist you fruther.

Regards

Jorge Rodriguez

I did not get a chance to try it until this morning. It tuns out the

Static (http,inside) 192.168.250.5 172.18.1.5 entry worked.

when I used packet-tracer from the ASA, it showed the UN-NAT and started directing the traffic to the HTTP interface properly..

UN-NAT, I never seen that before. Great to learn something new on this ASA.

Thanks

Frank

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: