Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

Inside Access to NAT IP on outside interface

Hey, we have a server that has an outside IP and an inside IP. It's inside ip is 192.168.222.30/24 and it's outside IP is

199.204.50.2/29. The connection to this server from the outside is perfectly fine, but access from inside users to the

NAT'd IP which is 199.204.50.2/29 is having issues, however, access to the inside IP works fine (this part makes sense)

Will It be a must to set the inside DNS A record to the inside IP and not the outside IP, or can users on the inside interface

access the NAT'd IP which is assigned to the server

LAN(192.168.222.0/24)<=====>InsideASAOutside<=====>(Server with NAT IP 192.168.222.30/24, it's also physicall assigned to this server)

This is an ASA 5510 with 8.4.                  

1 ACCEPTED SOLUTION

Accepted Solutions

Inside Access to NAT IP on outside interface

Hello John,

Ok so If the DNS response from the DNS server will show 199.204.50.2 then this is what you need to do 8.4 talking

object network Public_Server

host 199.204.50.2

object network Internal_Server

host 192.168.222.30

nat (inside,inside) source dynamic any interface destination static Public_Server Internal_Server

same-security-traffic permit intra-interface

Rate all the helpful posts!!!

Julio

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
10 REPLIES
VIP Purple

Inside Access to NAT IP on outside interface

There are two solutions, depending of your DNS-Design.

If your clients query only an inside server, then this server has to resolve the FQDN to the inside IP.

If an external DNS-Server is queried, then the nat-statement needs "dns-doctoring" which is configured with the parameter "dns".


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
New Member

Inside Access to NAT IP on outside interface

You want the inside subnet to access the server 192.168.222.30 using his public NATed IP 199.204.50.2?

Have you try using a NAT for this?

nat (inside,inside) source static "object for 192.168.222.30" "object for 199.204.50.2"

with also the command:

same-security-traffic permit intra-interface

Let me know if this helps you.

Inside Access to NAT IP on outside interface

Basically, we have a vmview connection server that has a dns name of vmview.companyx.com. The internal DNS for this site points to a public IP which is on an IP in the outside interface network range. From what you guys have suggested, and what I have researched, I believe I need to implement DNS re-write/Doctoring. I'm trying to find some good examples of syntax about this command on 8.4 code.

VIP Purple

Inside Access to NAT IP on outside interface

Your case should be similar to the following:

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/nat_objects.html#wp1140517

It's really that easy, that you just add the parameter "dns".


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni

Inside Access to NAT IP on outside interface

Hey, thanks for the information guys. This worked but did not fix the problem. The internal DNS is hq.companyx.com and the external dns is companyx.com. We get the response now from vmview.companyx.com as our internal IP, but the VmView VCS rejects it. From what I heard, this is because it's expecting to get a reponse from an outside connection. From what I was thinking, does the ASA NAT an internal IP, (I have 225.0/24 PATd to outside IP), if the outside IP is on the directly connected subnet of the outside interface?

VIP Purple

Inside Access to NAT IP on outside interface

Do I understand you right:

- On the ASA you translate your inside source IPs when you access the DMZ from inside?

- On your VMView-server is some access-controll that only allows access from certain IPs?

If that's the case it would be best to allow the VMview-server to be accessed from the inside-IP-range. Additionally you should exempt the communication from being natted when send from inside to DMZ.


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni

Inside Access to NAT IP on outside interface

Hi Jean,

Do you have DNS inspection enabled (with policy-map) while testing with DNS doctoring?

Thx

MS

Inside Access to NAT IP on outside interface

Yes, we have DNS inspection turned on. I think what I need to work with the VCS server, is that my internal subnet on the inside interface of the ASA (192.168.225.0/24) need to access a NAT'd IP (1.2.3.0/29). The VCS server has an IP address which is in the outside interface IP range.

The internal clients are having issues connecting to 1.2.3.2 which is the VCS server.

192.168.225.x (Inside Interface Range)<=====>(Outside Interface Range)1.2.3.2/29

The internal hosts cannot connect to 1.2.3.2/29.

I didn't know if this was some security feature that didn't allow internal hosts to access the outside internface IP range or not. Currently all internal hosts are PAT'd to 1.2.3.1 (outside inteface IP)

Inside Access to NAT IP on outside interface

Hello John,

Ok so If the DNS response from the DNS server will show 199.204.50.2 then this is what you need to do 8.4 talking

object network Public_Server

host 199.204.50.2

object network Internal_Server

host 192.168.222.30

nat (inside,inside) source dynamic any interface destination static Public_Server Internal_Server

same-security-traffic permit intra-interface

Rate all the helpful posts!!!

Julio

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com

Inside Access to NAT IP on outside interface

Thanks, everyone for your help! Nicely done jcarvaja.

3215
Views
8
Helpful
10
Replies