have two external ip ranges. From outside everything is reachable but from inside i cannot reach the external ip. But in some cases this is neccesary. i have an asa 55xx wit the latest os. How can i configure the asa to let internal clients reach the external ip ranges from inside? Do i need a static nat rule for this? Have someone an example for me? Thanks and regards.
x.x.x.x = external ip
y.y.y.y = internal
same-security-traffic permit intra-interface
static (inside,inside) x.x.x.x y.y.y.y netmask 255.255.255.255
global (inside) 1 interface
nat (inside) 1 0 0
Old 8.2 and older Dynamic PAT:
nat (inside) 1 0 0
global (outside) 1 interface
New 8.3 dynamic PAT.
object network obj_any
subnet 0.0.0.0 0.0.0.0
nat (inside,outside) dynamic interface
For example i have an internal server with 172.16.16.10 with a service on port 5467 for an outside ip 18.104.22.168 with the same port. From a host inside the network with the ip 172.16.16.233 i can perform a "telnet 172.16.16.10 5467" session with an answer from the service.
From outside everything fine too. But sometimes there is a need from internal to reach the external ip from INSIDE the lan.
For example, a host with 172.16.16.233 need to telnet the "22.214.171.124 5467" from inside. And here is the problem, theres is no answer from the service. Do you understand what i mean?
ip address 126.96.36.199 255.255.255.0
ip address 172.16.16.1 255.255.0.0
Maybe for interest, if i look in the asa log while i perform a telnet from inside to the outside ip i see this:
4 Mar 30 2010 03:30:50 106563 188.8.131.52 172.16.16.233 Deny icmp src outside:184.108.40.206 dst inside:172.16.16.233 (type 5, code 1) by access-group "global_access" [0x0, 0x0]
2 Mar 30 2010 03:30:50 106556 Deny IP spoof from (220.127.116.11) to 18.104.22.168 on interface outside
Ok, for the whole subnet:
object network obj-172.16.16.0
subnet 172.16.16.0 255.255.255.0
object network obj-22.214.171.124
subnet 126.96.36.199 255.255.255.0
nat (inside,inside) static ojb-172.16.16.0
If you are mapping the subnet, it will be translated sequentially, ie:
188.8.131.52 --> 172.16.16.1
184.108.40.206 --> 172.16.16.2
Since you have already configured specific translation before, you would need to do 1 IP address for whatever mapping you have configured earlier for the (inside,outside) translation.
Ok i tried it with single nat and not the whole range but it seems not to work for me, here is what i`ve configured now for the adress:
nat (inside,outside) source static 172.16.16.10 220.127.116.11
object network 18.104.22.168
nat (inside,inside) static 172.16.16.10
I'm not quite sure whether I misunderstood the meaning , In the case of your example , since your internal user (172.16.16.233) need to visit a internal server(172.16.16.10) , the traffic seems no need to go through the firewall , two ip address in the same subnet . If you want the internal users see the server as a Nated address , you may need to add one more translation entry "static (inside,inside) 22.214.171.124 172.16.16.10",meanwhile you need to add "same-security-traffic permit intra-interface"