Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Inside host to access DMZ host (with natted public IP) via its private IP

Unanswered Question
Sep 23rd, 2009
User Badges:

Inside =


Outside interface of ASA5520 =

DMZ host has a 1-to-1 NAT translation with

Everythis is fine except that after the DMZ host was configured to have a 1-to-1 NAT translation with the public IP address, all inside hosts at stopped accessing this DMZ host via its internal IP address (

How do I allow this? I know how it is done on a router, however I don't know how to accomplish this on an ASA.

thank you

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
platinum_jem Wed, 09/23/2009 - 20:26
User Badges:

Post your NAT configuration here.

ASA NAT configuration specified the source and destination interface, so it doesnt do NAT unnecessarily.

insccisco Mon, 09/28/2009 - 09:30
User Badges:

guys, can anyone shed some light here?

The DMZ host is OK with its One-to-One NAT translation (its public IP is

Now the problem is getting a bit worst because I just found out that none of the other DMZ hosts can get to this Natted host via its public IP.

I know there are some things that need to be done on the ASA to allow this. All DMZ hosts can access each other fine via their internal IPs, but again, it is this particular NATTED host that can't be accessed via its public IP.

In the past I know the work around was the alias command but that was deprecated.

Anyone knows the fix for this?

Mike Wise Mon, 09/28/2009 - 09:56
User Badges:

Have you tried nat 0 something like this:

access-list no-nat permit ip

nat(inside) 0 access-list no-nat

nat(dmz) 0 access-list no-nat

that should allow you to communicate between segments by private IPs

This may shed some light as well:


charrellc011699 Mon, 09/28/2009 - 12:38
User Badges:

Often this issue crops up depending on how the internal clients are accessing the DMZ server. If access is based on FQDN rather than IP address, the problem may be solved by rewriting the DNS response.

For example, if an "inside" host wishes to access the DMZ host by its FQDN of "server.example.com", the DNS response may be the public IP address. The client would attempt to connect to the public IP (traffic flow would be: in the inside interface, out the outside interface, outside router would forward the traffic *back* into the outside interface...) which the ASA would discard.

IF this is what is occurring, the ASA can rewrite the DNS response to the client to be the private address of the DMZ server, rather than the public NAT address of the dmz server.

Full details on DNS Doctoring voodoo:



insccisco Thu, 10/01/2009 - 16:44
User Badges:

looks like a good article. i will read it later.

i was able to accomplish this by doing the following commands:

static (DMZ,inside) netmask

static (DMZ,DMZ) netmask

static (DMZ,outside) netmask

The DMZ host can now be accessed from the internet and from the inside network via its public IP.

I looked at an old config where I had set this up before and just followed the logic.

I also wanted to access this .50 host from the inside network via its private IP but I am unable to do so. I searched all over the place and all I found was examples of this being done on a router with some combination of PBR and the loopback interface.

At this point I am making an educated guess that this is not possible on the ASA and that loopbacks are not supported on these platform.

Has anyone worked around this?


This Discussion