Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

ASA: Question about static public IP accessing

Hi there,

Is it possible to access a server located at the DMZ using its public IP address (static nat), from a server in the same DMZ or another station in another network interface (inside or management)? Will that be possible in the ASA?

My customer states that it can be done on Check Point firewalls.

Any feedback is highly appreciated.

5 REPLIES
Gold

Re: ASA: Question about static public IP accessing

Green

Re: ASA: Question about static public IP accessing

Yes. But it will be one or the other, not both. It is called destination NAT.

DMZ server public ip = 1.1.1.1

DMZ server ip = 192.168.1.1

To access from inside...

static (dmz,inside) 1.1.1.1 192.168.1.1 netmask 255.255.255.255

To access it from another DMZ machine you must use hairpinning. DNS doctoring will only work if you're trying to resolve it, not using an ip.

Hairpinning Example

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968d1.shtml#solution2

Community Member

Re: ASA: Question about static public IP accessing

D-NAT is not a option for the customer, since he needs to actually go out and go back in the same interface.

I had used hairpinning for in a VPN client and lan-2-lan environment, but I did'nt think it as a solution for this scenario.

I'll try that and I'll post here again with my findings. Thanks a lot!

Green

Re: ASA: Question about static public IP accessing

"D-NAT is not a option for the customer, since he needs to actually go out and go back in the same interface"

-I posted an example for inside to dmz using d-nat. The other example (hairpin) was for dmz to dmz.

Community Member

Re: ASA: Question about static public IP accessing

Sure, I got it! Thanks again.

240
Views
0
Helpful
5
Replies
CreatePlease to create content