Direct access to my public ip address from inside my network
We have ASA 5550, I have a portal server in the dmz which is natted statically to a public ip address for port 443. The application works fine from outside world. The server is also nated with a dynamic nat from inside to dmz and when I hit on the dmz ip from my inside it works fine.
The requirement for us is that the users sitting behind the inside (i.e. LAN) should access the server on the public ip address and not thru the dmz. Please let me know what shoud I do to resolve this issue as it is a bit urgent.
Re: Direct access to my public ip address from inside my network
I assume your using ASA software version below 8.3?
From 8.3 onwards you can configure a static NAT to use the same public NAT ip towards any interface. This would mean that even though the DMZ server has a private IP address you could NAT that ip address towards "outside" and "inside" with he same IP address (and any other interfaces you might have)
In the new software 8.3 onwards the static NAT i mentioned above would look something like this
object network DMZ-SERVER
nat (dmz,outside) static 220.127.116.11 dns
or if you want to NAT the DMZ server to the same public IP address towards every ASA interface. Though in this case you have to take into consideration how this affects all of your connection from "inside" to the server in "dmz" segment.
object network DMZ-SERVER
nat (dmz,any) static 18.104.22.168 dns
With ASA software 8.2 and below you can't connect to the DMZ server using the public ip address that you have NATed it to towards "outside". Though one way would be to use DNS doctoring (not sure if the term is right) in the NAT and connect to the server using name. This would ofcourse require that the servers public IP address had a DNS name on a public server. This way atleast both "inside" and "outside" users would be connecting to the same "address" though in this case a name not an ip address.
In the 8.2 and earlier old static NAT format it would look something like this
static (dmz,outside) 22.214.171.124 10.10.10.10 netmask 255.255.255.255 dns
To my understanding you can't get the situation you mentioned to work if you're still using ASA software below 8.3. One option ofcourse would be to get a public IP address range directly to the "dmz" so you wouldn't have to do NAT at all for the DMZ servers.
Is there any particular reason you are doing dynamic NAT for the users on "inside" connecting to "dmz"? Just wondering as I personally very rarely NAT traffic between interfaces that are local to my network..
BenefitsDocumentationPrerequisiteImage Download LinksLimitationsSupported PlatformsLicense RequirementsTopologyStep-By-Step ConfigurationConfigure Virtual ServiceActivate the virtual service and configure guest IPsConfiguring UTD (Service Plane)Configurin...
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...