Connect to outside ip from inside network

deyster94 · ‎07-27-2007

I just replace a clients PIX with an ASA 5510. They weren't using static nats and had all their servers set up with dual NICs. One connected to the internet and one to their inside network. Now that the ASA is in place, they are using static nats . However, one of their apps that they use on the internal network connects to an internet IP. It's hard coded and cannot be changed. So, now when they try to connect, it does not work. Is there any way to get this to work with the ASA?

TIA.

Dan

acomiskey · ‎07-27-2007

Sure, but where is the destination? If it's on the dmz and the request is coming from the inside you can do destination nat.

static (dmz,inside) public.ip private.ip netmask 255.255.255.255

Or if the destination is on the inside along with the source then you have to hairpin.

same-security-traffic permit intra-interface

static (inside,inside) public.ip private.ip netmask 255.255.255.255

nat (inside) 1 0 0

global (inside) 1 interface

Please rate helpful posts.

deyster94 · ‎07-27-2007

They want to connect to an IP on the outside of the firewall that is natted back inside.

for example:

ftp to: 1.1.1.1 which is natted to 2.2.2.2 on the inside and make this connection from the internal network

So, for a destination nat, they would do:

static (outside,inside) 1.1.1.1 2.2.2.2 netmask 255.255.255.255 ?

acomiskey · ‎07-30-2007

So if you have something like

static (inside,outside) x.x.x.x y.y.y.y netmask 255.255.255.255

and the connection from inside is to x.x.x.x then you would use the hairpinning method I referenced above.