Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Direct access to my public ip address from inside my network

We have ASA 5550, I have a portal server in the dmz which is natted statically to a public ip address for port 443. The application works fine from outside world. The server is also nated with a dynamic nat from inside to dmz and when I hit on the dmz ip from my inside it works fine.

The requirement for us is that the users sitting behind the inside (i.e. LAN) should access the server on the public ip address and not thru the dmz. Please let me know what shoud I do to resolve this issue as it is a bit urgent.  

5 REPLIES
Super Bronze

Re: Direct access to my public ip address from inside my network

Hi,

I assume your using ASA software version below 8.3?

From 8.3 onwards you can configure a static NAT to use the same public NAT ip towards any interface. This would mean that even though the DMZ server has a private IP address you could NAT that ip address towards "outside" and "inside" with he same IP address (and any other interfaces you might have)

In the new software 8.3 onwards the static NAT i mentioned above would look something like this

object network DMZ-SERVER

host 10.10.10.10

nat (dmz,outside) static 1.2.3.4 dns

or if you want to NAT the DMZ server to the same public IP address towards every ASA interface. Though in this case you have to take into consideration how this affects all of your connection from "inside" to the server in "dmz" segment.

object network DMZ-SERVER

host 10.10.10.10

nat (dmz,any) static 1.2.3.4 dns

With ASA software 8.2 and below you can't connect to the DMZ server using the public ip address that you have NATed it to towards "outside". Though one way would be to use DNS doctoring (not sure if the term is right) in the NAT and connect to the server using name. This would ofcourse require that the servers public IP address had a DNS name on a public server. This way atleast both "inside" and "outside" users would be connecting to the same "address" though in this case a name not an ip address.

In the 8.2 and earlier old static NAT format it would look something like this

static (dmz,outside) 1.2.3.4 10.10.10.10 netmask 255.255.255.255 dns

To my understanding you can't get the situation you mentioned to work if you're still using ASA software below 8.3. One option ofcourse would be to get a public IP address range directly to the "dmz" so you wouldn't have to do NAT at all for the DMZ servers.

- Jouni

EDIT:

Is there any particular reason you are doing dynamic NAT for the users on "inside" connecting to "dmz"? Just wondering as I personally very rarely NAT traffic between interfaces that are local to my network..

Community Member

Direct access to my public ip address from inside my network

I am running version 7.2(4) on my ASA, so I believe the first solution wont work in my case. I had tried using the following as well

static (dmz,outside) 1.2.3.4 10.10.10.10 netmask 255.255.255.255 dns

but it did not work as well because we have an internal dns server. But with the above command it works when the public dns is used.

There is no specific reason for natin my dmz with inside but only for security reason.

Direct access to my public ip address from inside my network

Hello Lmroz,

Please try this and let me know!

static (dmz,inside) 1.2.3.4 10.10.10.10

Regards,

Julio

Rate helpful posts!

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Community Member

Re: Direct access to my public ip address from inside my network

Issue is resolved, following command helped, apartment from the regular static nat

global (inside) 1 interface

static (dmz,inside) outside dmz netmask 255.255.255.255

Re: Direct access to my public ip address from inside my network

Hello Imroz,

Great to hear I could help!

Please mark the question as answered so future users can learn from this discussion.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
2269
Views
0
Helpful
5
Replies
CreatePlease to create content