Yeah I know it's a bad idea. 

Changing human behaviour is much more difficult than any technical solution, 10 times out of 10.

We take care of most of this by resolving the public hosts names to the DMZ addresses with split DNS, but it doesn't always work out that way.

There are some applications that use the IP address.  50.50.50.50.  Not a DNS name, so any DNS-centric soultions are out. It's a hassle, but I can only control so much.  Other vendors do this with no problem, the ASA should be able to handle this without tricks.

One idea I had was to split the ASA cluster into two contexts, which is a trick and shouldn't be necessary.  It also limits our functionality - can't terminate VPN's anymore.

Not sure if I'm understanding your requirements here. Can you state why it is necessary for your inside host/s to communicate with the external IP's of the DMZ hosts? They are all connected to the same firewall. I propose, you simply add 1-1 statics for the entire inside to DMZ1 and DMZ2. Then just use the interface ACLs to control traffic. What is the purpose of trying to communicate from inside to a public address? Testing?

Look, I agree that it's unnecessary, however it happens.  Our developers end up hard coding public IP addresses (instead of DNS names) into web pages hosted on the "inside", they instruct internal users to FTP to public IP addresses (instead of the DMZ IP or DNS hostname)...it drives me nuts, but it's reality.

I'll expirament with the Statics and see if I can get acceptable results, thanks for the idea.

I hear you. I have been there. I had the developers change the code to use names.

Anyway, in your case since they are using IP address from the inside DNS doctoring will not work.

You need D-NAT.

static (dmz,inside) public_ip dns_side_real_IP

Let me know if this works.

-Kureli

Interesting.

Here's what I did...

!

! first, got rid of the nat0's from Inside to DMZ and DMZ to Inside, then...

!

access-list 192-168-1-50 extended permit ip host 192.168.1.50 any

!

access-list 192-168-1-50_pub extended permit ip host 192.168.1.50 any

!

static (DMZ,Outside) 50.50.50.50 192.168.1.50 netmask 255.255.255.255

static (DMZ,Inside) 192.168.1.50  access-list 192-168-1-50

static (DMZ,Inside) 50.50.50.50  access-list 192-168-1-50_pub

!

Didn't work.

...I am testing with a 5505, 8.2(5)...

ciscoasa(config)# sh run interface | beg Vlan

interface Vlan100

nameif Outside

security-level 0

ip address 50.50.50.1 255.255.255.0

!

interface Vlan101

nameif DMZ

security-level 50

ip address 192.168.1.1 255.255.255.0

!

interface Vlan102

nameif Inside

security-level 100

ip address 10.1.1.1 255.255.255.0

!

ciscoasa(config)# int Vlan102

ciscoasa(config-if)# sec

ciscoasa(config-if)# security-level 40

ciscoasa(config-if)#

Now it works from the Inside, using both 192.168.1.50 and 50.50.50.50.

Downside, the DMZ interface security-level is higher than Inside.

What problems am I going to run into if I keep it this way?

EDIT: I wasn't planning on relying on security-levels for access control, but rather by applying interface ACL's like Jean Claude mentioned.

Message was edited by: Richard Field

Pls. don't complicate things with policy etc than what it already is.

You need the following:

static (inside,dmz) inside_real_IP inside_real_IP  --- source address translation

static (dmz,inside) dmz_public_IP dmz_real_IP --- destination address translation

let me know if it works.

-Kureli

I've tried multiple iterations of this, the only thing that works is removing the nat0's, then applying your config...but then this will only work between the two hosts I am testing with.  I can't do this for each of the 100's of potential hosts that require this!

This is nuts. Why can all the other firewall vendors handle this, but the ASA cannot? 

Would upgrading to 8.3/8.4 help? 

Just knock the DMZ security-level down below that of the inside interface. No issues, but would be good practice to make sure the 'most trusted networks' sec-lvls are higher than the DMZ.

Jean Claude, if I make the DMZ interface sec-lev lower than Inside, the config above breaks.

I've tried multiple iterations of  this, the only thing that works is removing the nat0's, then applying  your config...but then this will only work between the two hosts I am  testing with.  I can't do this for each of the 100's of potential hosts  that require this!

This is nuts. Why can all the other firewall vendors handle this, but the ASA cannot?  

Would upgrading to 8.3/8.4 help?  

The sample source nat and D-NAT that I gave you was assuming inside is higher security than dmz.

Anyway, upgrading to 8.3 wouldn't help either.  You would have more lines to configure when compared to pre 8.3 NAT that you have.

I am not sure what other firewall vendors you are talking about. I am sure they don't all do everything that our ASA firewall does.

At this point since there are multiple hosts involved, it would be better to open a TAC case - also to ease your frustration. Depending on all the public addresses may be we can come up with a subnet address instead of individual hosts for D-NAT static.

-Kureli

I think what I'm going to end up doing is

1) configure the ASA's as originally intended

2) place a spare 5505 between Inside and DMZ with NAT's setup to do what is required

3) route necessary public addresses to the 5505

4) Log and monitor all traffic and get the developers to use the internal addresses and instruct helpdesk to use internal addresses (which, as everyone here agrees, is the best long term solution).

Sorry about my frustration level, we are migrating from a Juniper/Netscreen and it handles this with no issues.  Checkpoint does as well. I apprecite the marketing plug, though

get the developers to use the internal addresses and instruct helpdesk to use internal addresses

That is not a good idea.  If I were to load this page from outside of your company then, these internal private addresses are going to fail.

The best thing to do is use name.  When the inside users try the pages, have the inside DNS server hand the internal/private IP addresses.  When the external (folks on the internet) try to access the page, their local DNS servers will hand the routable IP address.

-Kureli

You are right, dns name is better.

So it looks like the Nat0 attached to the DMZ1 interface was the problem all along.  I removed that and added the two Static Policy NAT's from earler and everything seems to be working, no 2nd firewall necessary...I think this is where Jean Claude's suggestion was leading.  Also used a subnet static like Kureli suggested, staying away from Static Policy if at all possible.

nat-control

! works with no nat-control also in this simple config

!

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

!

object-group network Inside_Nets

network-object 10.1.1.0 255.255.255.0

!

access-list inside_nat0_outbound extended permit ip object-group Inside_Nets 192.168.1.0 255.255.255.0

!

nat (DMZ1) 100 0.0.0.0 0.0.0.0

nat (Inside) 0 access-list inside_nat0_outbound

nat (Inside) 100 0.0.0.0 0.0.0.0

!

global (Outside) 100 interface

!

static (DMZ1,Outside) 50.50.50.50 192.168.1.50 netmask 255.255.255.255

static (DMZ1,Inside) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

static (DMZ1,Inside) 50.50.50.50 192.168.1.50 netmask 255.255.255.255

!

I have some more testing to do with more security zones (like the DMZ2 mentioned in the original question), but I think this is the right direction.

I still think all these hoops are silly, but it's working.  Thanks for the leads towards the right config!