Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Access external Static destined to DMZ from Inside Interface

Hello All:

I did a search for past responses but nothing gave a definate response. I was hoping someone could enlighten me with a push in the right direction to getting the proper config for this scenario.

I have a test lab, there is a single ASA 5510 with outside interface (192.168.250.1/24), and inside interface (172.20.40.74/24) and DMZ (172.18.1.1/24). On the DMZ, I have a system listening on Port 80. with the NAT 0 statement, I can get to the DMZ from the inside interface to port 80 to the test system. What I can not do is use the static statement to hairpin the traffic to the 172.18.1.5 system listening on port 80.

This is the NAT and Static config.

access-list inbound-outside extended permit tcp any host 192.168.250.5 eq www

access-list inside_nat0 extended permit ip 172.20.40.0 255.255.255.0 172.18.1.0 255.255.255.0

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0

nat (inside) 1 172.20.40.0 255.255.255.0

static (http,outside) 192.168.250.5 172.18.1.5 netmask 255.255.255.255

access-group inbound-http in interface http

access-group inbound-outside in interface outside

When I try to get to 192.168.250.5 from the inside system 172.20.40.71, this is what I see in the log and it times out waiting.

%ASA-7-609001: Built local-host inside:172.20.40.71

%ASA-7-609001: Built local-host outside:192.168.250.5

%ASA-6-305011: Built dynamic TCP translation from inside:172.20.40.71/1606 to outside:192.168.250.1/1024

%ASA-6-302013: Built outbound TCP connection 493 for outside:192.168.250.5/80 (192.168.250.5/80) to inside:172.20.40.71/1606 (192.168.250.1/1024)

%ASA-6-302014: Teardown TCP connection 493 for outside:192.168.250.5/80 to inside:172.20.40.71/1606 duration 0:00:30 bytes 0 SYN Timeout

%ASA-7-609002: Teardown local-host outside:192.168.250.5 duration 0:00:30

How can I get the hosts in the inside to access hosts on the DMZ using the Outside configured static IP so there is no need for Split DNS and we could just use the external IP's to connect to systems on the DMZ.

Thanks for your help in advance.

Frank

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Access external Static destined to DMZ from Inside Interface

How can I get the hosts in the inside to access hosts on the DMZ using the Outside configured static IP so there is no need for Split DNS and we could just use the external IP's to connect to systems on the DMZ.

Hi,

so you have to access 172.18.1.5 via outside using 192.168.25.5

static (http,outside) 192.168.250.5 172.18.1.5 netmask 255.255.255.255

to access 192.168.25.5 from inside you need:(assuming DMZ interface nameif is http)

static (http, inside) 192.168.25.5 172.18.1.5 netmask 255.255.255.255

to access 192.168.25.5 from same http interface this is hairlining and you need

same-security-traffic permit intra-interface

static (http,http) 192.168.25.5 172.18.1.5 netmask 255.255.255.255

Regards

PLS rate any helpful posts if it helps

3 REPLIES

Re: Access external Static destined to DMZ from Inside Interface

How can I get the hosts in the inside to access hosts on the DMZ using the Outside configured static IP so there is no need for Split DNS and we could just use the external IP's to connect to systems on the DMZ.

Hi,

so you have to access 172.18.1.5 via outside using 192.168.25.5

static (http,outside) 192.168.250.5 172.18.1.5 netmask 255.255.255.255

to access 192.168.25.5 from inside you need:(assuming DMZ interface nameif is http)

static (http, inside) 192.168.25.5 172.18.1.5 netmask 255.255.255.255

to access 192.168.25.5 from same http interface this is hairlining and you need

same-security-traffic permit intra-interface

static (http,http) 192.168.25.5 172.18.1.5 netmask 255.255.255.255

Regards

PLS rate any helpful posts if it helps

Re: Access external Static destined to DMZ from Inside Interface

Frank, is your problem resolved with my suggestion, if not let us know to assist you fruther.

Regards

Community Member

Re: Access external Static destined to DMZ from Inside Interface

I did not get a chance to try it until this morning. It tuns out the

Static (http,inside) 192.168.250.5 172.18.1.5 entry worked.

when I used packet-tracer from the ASA, it showed the UN-NAT and started directing the traffic to the HTTP interface properly..

UN-NAT, I never seen that before. Great to learn something new on this ASA.

Thanks

Frank

576
Views
0
Helpful
3
Replies
CreatePlease to create content