access dmz server from inside using public ip

Unanswered Question
Dec 14th, 2009
User Badges:

I've got an ASA firewall with three active interfaces on it, an inside, outside, and DMZ. In the DMZ I have my servers. Each has a static mapping to an outside ip address in the form of a static (dmz,outside) x.x.x.x x.x.x.x

I have an internal app on the inside network that needs to verify the DMZ servers are accesible and listening on their appropriate services (i.e web site is accessible on web server). The inside app needs to access the DMZ server using the public ip, not its actual DMZ network address. Do I need to do anything special on the ASA to get this to work? Currently the only NAT I have configured on box is the DMZ, outside mappings, along with the inside network getting PAT'd to outside interface address for internet bound traffic. Thanks

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Kureli Sankar Mon, 12/14/2009 - 18:30
User Badges:
  • Cisco Employee,

Yes, you need D-NAT (Destination NAT).

That thread may be little hard to follow.

In your case you need the following:

staic (dmz,inside) p.p.p.p d.d.d.d

Where p.p.p.p is the public address and d.d.d.d is the dmz ip address for this server that the inside hosts need access to. That staic says that if the inside interface sees a packet destined to p.p.p.p it is supposed to forward it to the dmz interface to the d.d.d.d ip address.

Do you have source translation for the inside network to get to the DMZ?

like identity translation?

static (i,d) i.i.i.i i.i.i.i where inside address is i.i.i.i

Good Luck.



This Discussion