I've got an ASA with multiple interfaces on it. I've got an inside,outside, dmz1, dmz2,and dmz3. I have a static NAT for a server in the DMZ to a global inet address on the outside via:
static (dmz1,outside) 210.x.x.10 192.168.1.1
I have a server in dmz2 and also a server in dmz3, both are trying to FTP to the server in dmz1 using the "internet" address 210.x.x.x, NOT the actual dmz address. Logs show
"Deny TCP reverse path check from 210.x.x.1 (outside ip of firewall) to 210.x.x.10 on interface outside". The default route is via the outside inteface. the error seems to point to a routing issue, but I'm not sure. should these inside hosts in the other dmz's be able to talk to the ftp by using the public ip, rather than the actual ip?
This command, when applied to an interface, will confirm that the source address SHOULD be ingressing on that interface. A packet sourced from the outside IP address (presumably what every inside host was PATed to) would not be expected to enter into the outside interface.
It is not advised to use the public IP address to access a local resource. In some situations, this may cause bad xlates to be formed on the firewall.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...