Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

access dmz server from inside using public ip

I've got an ASA firewall with three active interfaces on it, an inside, outside, and DMZ. In the DMZ I have my servers. Each has a static mapping to an outside ip address in the form of a static (dmz,outside) x.x.x.x x.x.x.x

I have an internal app on the inside network that needs to verify the DMZ servers are accesible and listening on their appropriate services (i.e web site is accessible on web server). The inside app needs to access the DMZ server using the public ip, not its actual DMZ network address. Do I need to do anything special on the ASA to get this to work? Currently the only NAT I have configured on box is the DMZ, outside mappings, along with the inside network getting PAT'd to outside interface address for internet bound traffic. Thanks

2 REPLIES
New Member

Re: access dmz server from inside using public ip

Hello mjsully,

Maybe the link can help you.

https://supportforums.cisco.com/message/1330220#1330220

THX

Keisikka

Cisco Employee

Re: access dmz server from inside using public ip

Yes, you need D-NAT (Destination NAT).

That thread may be little hard to follow.

In your case you need the following:

staic (dmz,inside) p.p.p.p d.d.d.d

Where p.p.p.p is the public address and d.d.d.d is the dmz ip address for this server that the inside hosts need access to. That staic says that if the inside interface sees a packet destined to p.p.p.p it is supposed to forward it to the dmz interface to the d.d.d.d ip address.

Do you have source translation for the inside network to get to the DMZ?

like identity translation?

static (i,d) i.i.i.i i.i.i.i where inside address is i.i.i.i

Good Luck.

-KS

259
Views
0
Helpful
2
Replies
CreatePlease login to create content