open translated IP from the inside

Unanswered Question
Jul 6th, 2010
User Badges:

we have a ASA5500 with 3 interfaces : outside, dmz, inside

we have a number of static nats translating a given public IP to a dmz servers and that all works fine.  However for testing purposes, we need to be able to access the public IP from the inside interface.


I tried the following but that did not work:


static (inside,inside) <public_IP> <dmz_IP> netmask 255.255.255.255


what translation is missing to allow users from the inside to access the public ip address?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Marcin Latosiewicz Tue, 07/06/2010 - 06:53
User Badges:
  • Cisco Employee,

I would start with

static (dmz,inside) netmask  255.255.255.255


enable logging on informational level from and test.

After test do "show logg | i IP.address"


Marcin

Nagaraja Thanthry Tue, 07/06/2010 - 07:09
User Badges:
  • Cisco Employee,

Hello,


As Marcin said, you need to configure the static with "static (DMZ,inside) " format. Also, ensure that there is NAT translation between the inside and the DMZ. It could be identity NAT or dynamic PAT.


static (inside,DMZ) netmask


or


access-list nonat permit ip


nat (inside) 0 access-list nonat


or


global (dmz) 1 interface


nat (inside) 1 0.0.0.0 0.0.0.0


This will ensure that all traffic from inside (higher security) is going to DMZ with proper NAT translations.


Hope this helps.

ronshuster Tue, 07/06/2010 - 07:32
User Badges:

So which one is it?


Marcin says:

static (dmz,inside) netmask  255.255.255.255


Nagaraja says:

static (inside,DMZ) netmask


and what is the logic behind this?


Marcin Latosiewicz Tue, 07/06/2010 - 07:34
User Badges:
  • Cisco Employee,

We're not contadicting each other. :-)


You need to make sure that servers from DMZ to inside are translated (what I was going for).

But at the same time, it's  best to NAT inside users to somethin on DMZ. Be it identity or PAT.

Nagaraja Thanthry Tue, 07/06/2010 - 08:11
User Badges:
  • Cisco Employee,

You need both of them for proper communication between the interfaces i.e. inside and DMZ. As Marcin said, one will ensure that when your inside hosts try to access the public IP of the DMZ server, it gets translated to corresponding DMZ IP. Other one is needed to satisfy the firewall requirement i.e. NAT rules are needed when you go from higher security interface (inside) to a lower security interface (DMZ).


Hope this helps.

ronshuster Tue, 07/06/2010 - 08:43
User Badges:

I have added the following 2 lines to the firewall:


static (dmz,inside) 192.168.1.15 netmask  255.255.255.255

The users on the inside are 172.0.0.0\8

static (inside,dmz) 172.0.0.0 172.0.0.0 netmask 255.0.0.0


This is the translation from the outside...it was there before

static (dmz,outside) 192.168.1.15 netmask 255.255.255.255


I am still unable to access the public address from the inside or from the dmz

Marcin Latosiewicz Tue, 07/06/2010 - 08:47
User Badges:
  • Cisco Employee,

What went wrong? Can you please check the logs (informational level)?


Marcin

Nagaraja Thanthry Tue, 07/06/2010 - 08:49
User Badges:
  • Cisco Employee,

Do you have any nonat or identity NAT configurations from DMZ to inside? It would look like:


nat (DMZ) 0 access-list


or


static (DMZ,inside) 192.168.1.x 192.168.1.x netmask 255.255.255.255


If you have these, that could be the reason you are not able to access. Please modify the configuration so that there is no identity nat from DMZ to inside.


Hope this helps.

Actions

This Discussion