how to let inside user access outside NATed IP addresses?

Answered Question
Apr 4th, 2009
User Badges:


Recently I've setup ASA5510 to meet the following criterias:

Cr1. inside users go to Internet with a single ip address (outside interface)

Cr2. DMZ contains http, mail servers that are NAT'ed to outside network

Cr3. Inside users access http, mail servers by their DMZ IP addresses (I split DNS here)

I would like to make some improvements to this config:

I1. Access to these NATed services from inside without need to split DNS, so I could use just one external DNS. Please note that I do not want to move both servers to outside and prefer to keep them on the DMZ.

I2. Make users from inside appear on Internet with a group of IP addresses instead of one single IP of outside ASA interface.

I3. NAT an inside Lotus Domino server to outside IP and be able to access it from inside by using it's NATed outside address as well as it's inside IP.

Improvement #3 I've half done easily, but cannot figure out how to make inside users access neither DMZ nor Inside hosts by their NATed outside IPs.

Any suggestions are greatly appreciated!

Thank you!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
nkaretnikov Mon, 04/13/2009 - 05:22
User Badges:

Clark, could you comment if the following scenario is possible?

DMZ host I binated for inside users to connect onto outside address, this is cool. But I also have VPN users sitting in France, my dmz server must push email to through vpn site-to-site. So, what should be done here? NAT dmz address to inside network cannot be done as I already have (inside,dmz) dmz.address,external.address command and another (inside,dmz)dmz.address,inside.address would overlap the existing one.

Any chance of one host to NAT for two different addresses or this could be otherwise?

Thank you!


This Discussion