Single IP 5505 - DMZ clients can't HTTPS to NAT'd Exchange server
I have an ASA 5505 with the base license, which I setup a DMZ interface on for WiFi clients. When I setup the DMZ interface I had to add the deny access to the inside VLAN. The DMZ works fine with WiFi on it, but user's iPhones can't get email unless they turn WiFi off.
I can see a log entry stating that the connection was "denied by ACL from <dmz ip>/49689 to dmz:<external ip>/443"
Is there a simple way to allow HTTPS traffic through the DMZ interface to our internal Exchange server which is NAT'd on the 5505's external IP?
Single IP 5505 - DMZ clients can't HTTPS to NAT'd Exchange serve
You're going to need a security image for the 5505 in order to be able to forward traffic to both the inside and outside interfaces from the dmz. The reason that it works by turning wifi off is because it has to go through the provider at that point and your users are hitting your outside interface. Currently, with the base image, you can only forward traffic to one interface or the other but not both.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...