Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
629
Views
0
Helpful
3
Replies

ASA 5520 - Issue with static NAT

usantellani
Level 1
Level 1

‎05-31-2012 04:57 AM - edited ‎03-11-2019 04:13 PM

Hello all,

I'm having a weird issue with an ASA 5520 (Ver. 8.2) of a customer. The scanario is as follows:

There is a subnet (on a subinterface) "Guest" which basically is allowed unlimited access to the internet. Traffic is source NATed through the ASA to the outside interface. This works fine.

There is on the "inside" interface a server which can be accessed from the outside via a public IP address. On the ASA this is implemented as a static NAT entry. This also works fine.

Now the customer wants to access the server on the inside from a client of the "Guest" interface using the public (NATed) IP address. Reason for this is, they have an application with hard programmed IP address inside and want to run some life tests. However, this kind of traffic seems not to be passing through the ASA.

What I have tried so far:

- examined, if a hairpin scenario could be applied here, but it seems not, as I have traffic traveling between interfaces not out and in to the same interface.

- enabled the option "enable traffic between two or more interfaces which are configured with same security levels" and also "enable traffic between two or more hosts connected to the same interface"

- when I use the real adresses of the host, it works, so it shouldn't be an issue with the firewall rules

So currently, I'm a little stuck here, can someone think of a reason why I cannot use the public NAT address from any of the other interfaces?

Thanks in advance!

Labels:
0 Helpful
3 Replies 3

varrao
Level 10
Level 10

‎05-31-2012 05:02 AM

Hi,

You would need the following configuratin:

static (inside,guest)  

and also allow the host in the access-list  that you have applied on  the guest interface, since you arre going from lower security to higher security.

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks,
Varun Rao
0 Helpful

usantellani
Level 1
Level 1
In response to varrao

‎05-31-2012 07:30 AM

Thanks, however, to be sure with the IPs:

= the outside interface ip address

= the ip of the server on the inside interface or of the guest client pc?

0 Helpful

varrao
Level 10
Level 10
In response to usantellani

‎05-31-2012 08:39 AM

Hi,

Public ip would be the free public ip with which you the inside server already natted to, real ip is the ip of the server on the inside.

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks,
Varun Rao
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card