12-14-2009 04:53 PM - edited 03-11-2019 09:48 AM
I've got an ASA firewall with three active interfaces on it, an inside, outside, and DMZ. In the DMZ I have my servers. Each has a static mapping to an outside ip address in the form of a static (dmz,outside) x.x.x.x x.x.x.x
I have an internal app on the inside network that needs to verify the DMZ servers are accesible and listening on their appropriate services (i.e web site is accessible on web server). The inside app needs to access the DMZ server using the public ip, not its actual DMZ network address. Do I need to do anything special on the ASA to get this to work? Currently the only NAT I have configured on box is the DMZ, outside mappings, along with the inside network getting PAT'd to outside interface address for internet bound traffic. Thanks
12-14-2009 05:55 PM
Hello mjsully,
Maybe the link can help you.
https://supportforums.cisco.com/message/1330220#1330220
THX
Keisikka
12-14-2009 06:30 PM
Yes, you need D-NAT (Destination NAT).
That thread may be little hard to follow.
In your case you need the following:
staic (dmz,inside) p.p.p.p d.d.d.d
Where p.p.p.p is the public address and d.d.d.d is the dmz ip address for this server that the inside hosts need access to. That staic says that if the inside interface sees a packet destined to p.p.p.p it is supposed to forward it to the dmz interface to the d.d.d.d ip address.
Do you have source translation for the inside network to get to the DMZ?
like identity translation?
static (i,d) i.i.i.i i.i.i.i where inside address is i.i.i.i
Good Luck.
-KS
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide