Inside host to access DMZ host (with natted public IP) via its private IP

insccisco · ‎09-23-2009

Inside = 10.10.10.0/24

DMZ = 10.10.20.0/24

Outside interface of ASA5520 = 66.66.66.25

DMZ host 10.10.20.50 has a 1-to-1 NAT translation with 66.66.66.27

Everythis is fine except that after the DMZ host 10.10.20.50 was configured to have a 1-to-1 NAT translation with the public IP address, all inside hosts at 10.10.10.0 stopped accessing this DMZ host via its internal IP address (10.10.20.50)

How do I allow this? I know how it is done on a router, however I don't know how to accomplish this on an ASA.

thank you

platinum_jem · ‎09-23-2009

Post your NAT configuration here.

ASA NAT configuration specified the source and destination interface, so it doesnt do NAT unnecessarily.

kumar · ‎09-23-2009

ok, you can configure nat exemption rule for accessing internal to dmz and also configure accesslist.

insccisco · ‎09-23-2009

can you give me an example?

insccisco · ‎09-28-2009

guys, can anyone shed some light here?

The DMZ host 10.10.20.50 is OK with its One-to-One NAT translation (its public IP is 66.66.66.27).

Now the problem is getting a bit worst because I just found out that none of the other DMZ hosts can get to this Natted host via its public IP.

I know there are some things that need to be done on the ASA to allow this. All DMZ hosts can access each other fine via their internal IPs, but again, it is this particular NATTED host that can't be accessed via its public IP.

In the past I know the work around was the alias command but that was deprecated.

Anyone knows the fix for this?

Mike Wise · ‎09-28-2009

Have you tried nat 0 something like this:

access-list no-nat permit ip 10.10.10.0 255.255.255.0 10.10.20.0 255.255.255.0

nat(inside) 0 access-list no-nat

nat(dmz) 0 access-list no-nat

that should allow you to communicate between segments by private IPs

This may shed some light as well:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00800b6e1a.shtml#multi_nat

charrellc011699 · ‎09-28-2009

Often this issue crops up depending on how the internal clients are accessing the DMZ server. If access is based on FQDN rather than IP address, the problem may be solved by rewriting the DNS response.

For example, if an "inside" host wishes to access the DMZ host by its FQDN of "server.example.com", the DNS response may be the public IP address. The client would attempt to connect to the public IP (traffic flow would be: in the inside interface, out the outside interface, outside router would forward the traffic *back* into the outside interface...) which the ASA would discard.

IF this is what is occurring, the ASA can rewrite the DNS response to the client to be the private address of the DMZ server, rather than the public NAT address of the dmz server.

Full details on DNS Doctoring voodoo:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968c8.shtml

HTH

insccisco · ‎10-01-2009

looks like a good article. i will read it later.

i was able to accomplish this by doing the following commands:

static (DMZ,inside) 66.66.66.27 10.10.20.50 netmask 255.255.255.255

static (DMZ,DMZ) 66.66.66.27 10.10.20.50 netmask 255.255.255.255

static (DMZ,outside) 66.66.66.27 10.10.20.50 netmask 255.255.255.255

The DMZ host 10.10.20.50 can now be accessed from the internet and from the inside network via its public IP.

I looked at an old config where I had set this up before and just followed the logic.

I also wanted to access this .50 host from the inside network via its private IP but I am unable to do so. I searched all over the place and all I found was examples of this being done on a router with some combination of PBR and the loopback interface.

At this point I am making an educated guess that this is not possible on the ASA and that loopbacks are not supported on these platform.

Has anyone worked around this?