I have a situation where I have internal hosts on 192.168.3.0/24 and static entries setup on an ASA5520 that map to a some of those addresses. Static NAT works as expected for sources originating from the outside of the ASAs, but any traffic from the 192.168.3.0/24 network itself, to the public addresses just times out (SYN sent, but no ACK). Config is attached. In the config, the interfaces in question are ge0 (outside, where the static IPs are available), and ge2-2 (inside where both the real IPs are AND who may also need to connect to the public IPs specified by the static statements).
Any help is greatly appreciated! Thanks in advance.
You can't use the public IP addresses allocated to the internal SMTP servers when initiating connection from inside hosts. You need to point the internal hosts to 192.168.3.21 and .28 respectively instead.
I am suspecting that you probably use OWA or something like that and want to use the same hostname (which resolves to the Public IP) for both internal and external users correct ..? If that is the case you could use a feature called DNS doctoring by adding dns at the end of every static command. You also need to make sure the dns server resolving that hostname is located OUTSIDE of your firewall. Please check the below example
It's not OWA (it's Postfix on Linux boxes) but you're correct about the desired goal. What's odd is that in another location where I use ASA boxes this does work, but I think it's a side effect of the configuration. In that setup, the public IPs are a /24 that is routed (by our ISP) to the ASAs which are on one end of a /30. I think what's happening there, assuming you're correct, is that traffic follows the default gw of the ASA to the ISP's router, gets NAT'd, and then immediately routed back to the ASAs. Of course, that's if I'm understanding the case correctly. I definitely appreciate your response, but I find it sad that this is the case. It seems like this should be possible.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :