Inside host to access DMZ host (with natted public IP) via its private IP

Unanswered Question
Sep 23rd, 2009
User Badges:

Inside = 10.10.10.0/24

DMZ = 10.10.20.0/24

Outside interface of ASA5520 = 66.66.66.25


DMZ host 10.10.20.50 has a 1-to-1 NAT translation with 66.66.66.27


Everythis is fine except that after the DMZ host 10.10.20.50 was configured to have a 1-to-1 NAT translation with the public IP address, all inside hosts at 10.10.10.0 stopped accessing this DMZ host via its internal IP address (10.10.20.50)


How do I allow this? I know how it is done on a router, however I don't know how to accomplish this on an ASA.


thank you

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
platinum_jem Wed, 09/23/2009 - 20:26
User Badges:

Post your NAT configuration here.


ASA NAT configuration specified the source and destination interface, so it doesnt do NAT unnecessarily.

insccisco Mon, 09/28/2009 - 09:30
User Badges:

guys, can anyone shed some light here?


The DMZ host 10.10.20.50 is OK with its One-to-One NAT translation (its public IP is 66.66.66.27).


Now the problem is getting a bit worst because I just found out that none of the other DMZ hosts can get to this Natted host via its public IP.


I know there are some things that need to be done on the ASA to allow this. All DMZ hosts can access each other fine via their internal IPs, but again, it is this particular NATTED host that can't be accessed via its public IP.


In the past I know the work around was the alias command but that was deprecated.


Anyone knows the fix for this?






Mike Wise Mon, 09/28/2009 - 09:56
User Badges:

Have you tried nat 0 something like this:


access-list no-nat permit ip 10.10.10.0 255.255.255.0 10.10.20.0 255.255.255.0

nat(inside) 0 access-list no-nat

nat(dmz) 0 access-list no-nat


that should allow you to communicate between segments by private IPs


This may shed some light as well:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00800b6e1a.shtml#multi_nat





charrellc011699 Mon, 09/28/2009 - 12:38
User Badges:

Often this issue crops up depending on how the internal clients are accessing the DMZ server. If access is based on FQDN rather than IP address, the problem may be solved by rewriting the DNS response.


For example, if an "inside" host wishes to access the DMZ host by its FQDN of "server.example.com", the DNS response may be the public IP address. The client would attempt to connect to the public IP (traffic flow would be: in the inside interface, out the outside interface, outside router would forward the traffic *back* into the outside interface...) which the ASA would discard.


IF this is what is occurring, the ASA can rewrite the DNS response to the client to be the private address of the DMZ server, rather than the public NAT address of the dmz server.


Full details on DNS Doctoring voodoo:


http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968c8.shtml



HTH

insccisco Thu, 10/01/2009 - 16:44
User Badges:

looks like a good article. i will read it later.


i was able to accomplish this by doing the following commands:


static (DMZ,inside) 66.66.66.27 10.10.20.50 netmask 255.255.255.255

static (DMZ,DMZ) 66.66.66.27 10.10.20.50 netmask 255.255.255.255

static (DMZ,outside) 66.66.66.27 10.10.20.50 netmask 255.255.255.255


The DMZ host 10.10.20.50 can now be accessed from the internet and from the inside network via its public IP.


I looked at an old config where I had set this up before and just followed the logic.


I also wanted to access this .50 host from the inside network via its private IP but I am unable to do so. I searched all over the place and all I found was examples of this being done on a router with some combination of PBR and the loopback interface.


At this point I am making an educated guess that this is not possible on the ASA and that loopbacks are not supported on these platform.


Has anyone worked around this?

Actions

This Discussion