Hi - I have this question because I need to log the IP addresses of requests to a web-proxy server.
The current web-proxy server is in a DMZ, traffic is in the identity NAT rules and the source IP is passed through the firewall to the server and logged.
I have set up a test web-proxy server which is in another DMZ, but I need to access this with an 'inside' IP address, rather than the true 'DMZ' IP address. I have tested this using a policy Static NAT (so that VPNs can access it too - please refer to https://supportforums.cisco.com/thread/2013181) and I have everything working except the logging; all requests now log with the firewalls DMZ interface rather than the true source IP.
The logging server is also on the DMZ 192.168.0.1 server (Web Proxy).
I set my web browser PROXY to be 172.16.0.1, my web request gets translated to 192.168.0.1. The server (192.168.0.1) actions my web request and then returns the web page to me - it also logs that I have visited this web sitem but instead of registering my own IP address (e.g.172.16.0.100), it is registering the IP address of the DMZ interface of the Firewall (192.168.0.254).
If I use another PC (with different IP address - 172.16.0.101) with the same web browser PROXY setting, then it also is also registered on the DMZ server 192.168.0.1 with the IP address of the DMZ interface of the Firewall (192.168.0.254).
The DMZ server is not able to log the different source IPs.
The reason for this is that the logging server is on the DMZ 192.168.0.1 (Web Proxy)
You setup your web browser proxy to 172.16.0.1 on the inside LAN.
When the packets get to the web proxy, they get to the real IP of the proxy (192.168.0.1)
I think that the LAN machines (192.168.0.x) are getting translated to the DMZ IP when going to the DMZ. This is whay the proxy ''see'' the requests coming from the ASA's DMZ IP instead than coming from the LAN real IPs.
If you for example, set up a NAT rule like this:
static (inside,dmz) 172.16.0.5 172.16.0.5
In this way, when host 172.16.0.5 contacts the proxy, the proxy will see the request from the real IP 172.16.0.5 and not from the DMZ interface of the ASA.
You can also use a nat0 rule or subnets in the static command.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...