Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1748
Views
0
Helpful
6
Replies

The server Public IP not Accessable from internal Network

Go to solution
mahmoud.yasin
Level 1
Level 1

‎12-18-2011 08:03 AM - edited ‎03-11-2019 03:03 PM

Hi

i have ASA 5510 version 8.3, i have a server in my internal network and published the HTTP service (so i configured NAT for this server).

the server public IP is accessable from the internet but its not accessable from the internal network.

although its accessable using its private IP address from the internal network.

any one has an explanation.....

Thanks

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
puseth
Level 1
Level 1
In response to mahmoud.yasin

‎12-20-2011 08:22 AM

Mahmoud,

You can try this

nat (inside,dmz) source dynamic any interface destination static d-nat real-ip service tcp_80 tcp_80

Where dnat is public ip address of the server and real-ip is the ip address of the server in DMZ.

Puneet

View solution in original post

0 Helpful
6 Replies 6

Go to solution
varrao
Level 10
Level 10

‎12-18-2011 08:13 AM

Hi Mahmoud,

What you are trying to do is called u-turning on the ASA, you would need to put teh following configuration for it:

Lets assume that your server's public ip is 1.1.1.1 and private ip is 10.1.1.1

object network public

host 1.1.1.1

object newtork private

host 10.1.1.1

object service tcp_443

service tcp destination eq 443

nat (inside,inside) source static any interface destination static public private service tcp_443 tcp_4443

same-security-traffic permit intra-interface

sysopt noproxyarp inside

and it should work after this.

Let me know how it goes.

Hope that helps.

Thanks,

Varun

Please do rate helpful posts

Thanks,
Varun Rao
0 Helpful

Go to solution
mahmoud.yasin
Level 1
Level 1
In response to varrao

‎12-19-2011 12:53 AM

Hi Varun

thank you for your reply.

the exact setup is as below,

- there are three zones; inside, outside, DMZ

- the published server is in DMZ Zone.

- the server is published using the outside interface IP address.

- the users trying to access the server using the public IP address from the inside zone.

so how will be the configuration in this way?

i tried the following but didnt success;

(

object network obj-10.0.3.10

host 10.0.3.10

object service tcp_80

service tcp destination eq www

nat (inside,dmz) source static any interface destination static interface obj-10.0.3.10 service tcp_80 tcp_80

sysopt noproxyarp inside

same-security-traffic permit inter-interface

)

Thanks

0 Helpful

Go to solution
prashantrecon
Level 1
Level 1
In response to mahmoud.yasin

‎12-19-2011 04:57 AM

Hi varun,

Can u brief me regarding sysoptnoproxyarp command

0 Helpful

Go to solution
puseth
Level 1
Level 1
In response to mahmoud.yasin

‎12-20-2011 08:22 AM

Mahmoud,

You can try this

nat (inside,dmz) source dynamic any interface destination static d-nat real-ip service tcp_80 tcp_80

Where dnat is public ip address of the server and real-ip is the ip address of the server in DMZ.

Puneet

0 Helpful

Go to solution
mahmoud.yasin
Level 1
Level 1
In response to puseth

‎12-22-2011 12:59 AM

Dear Puneet

it worked.

Thank you all

0 Helpful

Go to solution
puseth
Level 1
Level 1
In response to mahmoud.yasin

‎12-22-2011 01:05 AM

Hi Mahmoud,

Nice to hear that it worked.

Please find this DOC on how to achieve the same.

https://supportforums.cisco.com/docs/DOC-21602

Puneet

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card