Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

ASA 5520 - Issue with static NAT

Hello all,

I'm having a weird issue with an ASA 5520 (Ver. 8.2) of a customer. The scanario is as follows:

There is a subnet (on a subinterface) "Guest" which basically is allowed unlimited access to the internet. Traffic is source NATed through the ASA to the outside interface. This works fine.

There is on the "inside" interface a server which can be accessed from the outside via a public IP address. On the ASA this is implemented as a static NAT entry. This also works fine.

Now the customer wants to access the server on the inside from a client of the "Guest" interface using the public (NATed) IP address. Reason for this is, they have an application with hard programmed IP address inside and want to run some life tests. However, this kind of traffic seems not to be passing through the ASA.

What I have tried so far:

- examined, if a hairpin scenario could be applied here, but it seems not, as I have traffic traveling between interfaces not out and in to the same interface.

- enabled the option "enable traffic between two or more interfaces which are configured with same security levels" and also "enable traffic between two or more hosts connected to the same interface"

- when I use the real adresses of the host, it works, so it shouldn't be an issue with the firewall rules

So currently, I'm a little stuck here, can someone think of a reason why I cannot use the public NAT address from any of the other interfaces?

Thanks in advance!

Everyone's tags (2)
3 REPLIES
Red

ASA 5520 - Issue with static NAT

Hi,

You would need the following configuratin:

static (inside,guest)  

and also allow the host in the access-list  that you have applied on  the guest interface, since you arre going from lower security to higher security.

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks, Varun Rao Security Team, Cisco TAC
New Member

ASA 5520 - Issue with static NAT

Thanks, however, to be sure with the IPs:

= the outside interface ip address

= the ip of the server on the inside interface or of the guest client pc?

Red

ASA 5520 - Issue with static NAT

Hi,

Public ip would be the free public ip with which you the inside server already natted to, real ip is the ip of the server on the inside.

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks, Varun Rao Security Team, Cisco TAC
480
Views
0
Helpful
3
Replies
CreatePlease to create content