07-28-2008 10:25 AM - edited 03-11-2019 06:21 AM
We have some web servers set up internally, I have NAT configured and they are working if you type in a domain URL from an external network, but if you type in the same domain URL on a computer in the internal network, it throws a "portmap translation" error. Does anyone know what causes this? I have gotten it to stop giving me an error when I mess around with the NAT settings but the page will never parse.
More info on the connections, right now we have 2 WAN connections, one is for internal DHCP clients inside - outside, and one is a faster connections outside - inside for the web servers.
We have a block of 13 statics on both connections, but only the T1 connection is using more than one. Thanks for any advice you can provide, and yes my config is messy, and my ACLs are goofy, but I spent my weekend learning this stuff.
ATTACHED CONFIG: Result of the command: "show running-config"
Solved! Go to Solution.
07-28-2008 02:20 PM
from inside you are accessing your own public webserver but the request is pointing to public IP , try hairpining solution on same page assuming 192.168.1.100 is the webserver in interface inside.
same-security-traffic permit intra-interface
static (inside,inside) xxx.xxx.123.197 192.168.1.100
07-28-2008 11:29 AM
Read this link, there are couple of sulutions here, one being DNS doctoring.
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968d1.shtml
HTH
Jorge
07-28-2008 01:56 PM
I went through and looked at that some, but it's not helping my problems any. I got to the point where it's timing out now instead of being completely dropped, but I still can't pull up a web page. Kind of frustrating to be so close.
07-28-2008 02:20 PM
from inside you are accessing your own public webserver but the request is pointing to public IP , try hairpining solution on same page assuming 192.168.1.100 is the webserver in interface inside.
same-security-traffic permit intra-interface
static (inside,inside) xxx.xxx.123.197 192.168.1.100
07-29-2008 08:20 AM
At first I didn't think it was working, I went back through in CLI and cleaned out all my NAT stuff and started fresh. The hairpining solution worked! Here is what I did.
Since I have 3 interfaces I had to set up two separate NAT's for each.
same-security-traffic permit intra-interface
static (inside,inside) xxx.xxx.123.197 192.168.1.100
was only the beginning
What I have is a little different since it's not really a DMZ, it's 2 WAN connections, but I kind of treated my T1 line as a DMZ even though the ASA doesn't see it as such.
The biggest thing I think was adding the
global (inside) 1 interface
along with
global (Cable) 1 interface
Interface names:
outside = cable
inside = inside
dmzish = T1
Two entries are needed in NAT for internal:
static (inside,Cable) xxx.xxx.123.197 192.168.1.100 netmask 255.255.255.255
static (inside,inside) xxx.xxx.123.197 192.168.1.100 netmask 255.255.255.255
and one for external:
static (inside,T1) xxx.xxx.123.197 192.168.1.100 netmask 255.255.255.255
Thank you to everyone who helped out, this was a tough one for me being a beginner, now I have a very good understanding of NAT :)
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: