Solved: CSS/ASA can users on the inside access the VIP by its Public IP address

tholmes · ‎10-02-2009

Hello,

I've an ASA with a DMZ on which the CSS is connected.

Outside users connect to a public IP address which is statically NAT'd to the VIP on the CSS.

All is working well, but the customer wants to be able to use the public IP address (or DNS) from the inside network of the ASA.

Is this possible, as the traffic would need to go inside to outside then outside to DMZ and back?

any help appreciated

Cheers Tony

acomiskey · ‎10-02-2009

Tony, this is pretty simple actually.

If your existing static looks something like this for access from the outside...

static (dmz,outside) 1.1.1.1 2.2.2.2 netmask 255.255.255.255

all you have to do is add this static

static (dmz,inside) 1.1.1.1 2.2.2.2 netmask 255.255.255.255

Then anyone on the inside going to 1.1.1.1 will be sent do 2.2.2.2 in the dmz.

View solution in original post

acomiskey · ‎10-02-2009

Tony, this is pretty simple actually.

If your existing static looks something like this for access from the outside...

static (dmz,outside) 1.1.1.1 2.2.2.2 netmask 255.255.255.255

all you have to do is add this static

static (dmz,inside) 1.1.1.1 2.2.2.2 netmask 255.255.255.255

Then anyone on the inside going to 1.1.1.1 will be sent do 2.2.2.2 in the dmz.

tholmes · ‎10-02-2009

Hello Acomiskey,

Thanks for your reply, you know... I've been configuring PIX firewalls (since 5.1, ASAs and FWSM, for hundreds of years now, L2L VPNs, SSL VPNs, RA, CSSs and even the odd CSM.

I did a 10 interface ASA using VLANs last month, that actually hurts!

But every now and again, I get a mental block and have to start the learning process all over again.

Is it just me? :-)

Thanks for your help, its now working, I'll happily provide a 5 rating

Cheers Tony