Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Basic NAT and routing questions

I have an ASA 5505 configured with internal network, a DMZ, and a VPN on seperate subnets.  The implicit rules allow my internal client computers to connect to the web servers on the DMZ IP, but I can not connect to the public NAT address from the internal network.  I have a DNS server on my internal network and it does resolve to the public IP correctly.  NAT seems to be working correctly because if I go outside the network and connect to the public IP or qualified name then I can get to everything correctly.  I do not see any messages in the Cisco logs and the packet trace tool shows the route of http from an internal IP adddress  to the external (NATed) address is allowed.  Can anyone help me troubleshoot this and figure out why it is not working? 

Specifically, I can go to http://192.168.1.121 from the internal (192.168.0/24) network, but I can not go to http://72.22.214.121 (the NAT address) from the internal network.  If I am outside my cisco then I can go to http://72.22.214.121 easily.

Here is most of my running config:

Result of the command: "show running-config"

: Saved
:
ASA Version 8.2(5)
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
switchport access vlan 3
!
interface Ethernet0/7
switchport access vlan 3
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0           (my internal network is 192.168.0/24)
!
interface Vlan2
nameif outside
security-level 0
ip address 72.22.214.120 255.255.255.240      (this is my cisco's IP)
!
interface Vlan3
nameif dmz
security-level 50
ip address 192.168.1.1 255.255.255.0                (my DMZ network is 192.168.1/24)
!
dns domain-lookup outside
dns server-group DefaultDNS
name-server 8.8.8.8
object-group service DM_INLINE_TCP_1 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_2 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_3 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_4 tcp
port-object eq www
port-object eq https
object-group network DM_INLINE_NETWORK_1
network-object 192.168.0.0 255.255.255.0
network-object 192.168.1.0 255.255.255.0
object-group service DM_INLINE_TCP_5 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_6 tcp
port-object eq www
port-object eq https
access-list botnet-exclude extended permit ip any any
access-list outside_access_in extended permit tcp any host 72.22.214.119 object-group DM_INLINE_TCP_5
access-list outside_access_in extended permit tcp any host 72.22.214.121 object-group DM_INLINE_TCP_6
access-list outside_access_in extended permit tcp any host 72.22.214.123 object-group DM_INLINE_TCP_1
access-list outside_access_in extended permit tcp any host 72.22.214.124 object-group DM_INLINE_TCP_2
access-list outside_access_in extended permit tcp any host 72.22.214.125 object-group DM_INLINE_TCP_3
access-list outside_access_in extended permit tcp any host 72.22.214.126 object-group DM_INLINE_TCP_4
access-list XXXXXX_splitTunnelAcl standard permit 192.168.0.0 255.255.255.0
access-list XXXXXX_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip object-group DM_INLINE_NETWORK_1 192.168.2.0 255.255.255.192
pager lines 24
logging enable
logging asdm notifications
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool XXXXXXPool 192.168.2.10-192.168.2.40 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat-control
global (outside) 101 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 101 0.0.0.0 0.0.0.0
static (inside,dmz) 192.168.0.0 192.168.0.0 netmask 255.255.255.0
static (dmz,inside) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
static (dmz,outside) 72.22.214.119 192.168.1.119 netmask 255.255.255.255           (NAT entries)
static (dmz,outside) 72.22.214.121 192.168.1.121 netmask 255.255.255.255
static (dmz,outside) 72.22.214.124 192.168.1.124 netmask 255.255.255.255
static (dmz,outside) 72.22.214.125 192.168.1.125 netmask 255.255.255.255
static (dmz,outside) 72.22.214.126 192.168.1.126 netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group dmz_access_in in interface dmz
route outside 0.0.0.0 0.0.0.0 72.22.214.113 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server XXXXXDomain protocol nt
aaa-server XXXXXDomain (inside) host 192.168.0.120
timeout 5
nt-auth-domain-controller test-pdc
http server enable
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.0.20-192.168.0.30 inside
dhcpd dns 192.168.0.120  interface inside
dhcpd wins 192.168.0.120 interface inside
dhcpd domain xxx.xxxxxxxx.com interface inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
dynamic-filter updater-client enable
dynamic-filter use-database
dynamic-filter enable interface inside
dynamic-filter enable interface outside classify-list botnet-exclude
dynamic-filter drop blacklist interface inside
dynamic-filter ambiguous-is-black
ntp server 200.50.25.62 prefer
ntp server 128.138.188.172
ntp server 64.147.116.229
webvpn
group-policy XXXXXXXX internal
group-policy XXXXXXXX attributes
dns-server value 192.168.0.120
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
!
class-map inspection_default
match default-inspection-traffic
class-map botnet-DNS
match port udp eq domain
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect ip-options
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny 
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip 
  inspect xdmcp
policy-map botnet-policy
class botnet-DNS
  inspect dns dynamic-filter-snoop
!
service-policy global_policy global
service-policy botnet-policy interface outside
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:739ee35f8c0d3ff262fbf48e05bce41d
: end

Everyone's tags (4)
1 ACCEPTED SOLUTION

Accepted Solutions
Silver

Basic NAT and routing questions

Pls try this,

static (dmz,inside) 72.22.214.121 192.168.1.121 netmask 255.255.255.255

---

Posted by WebUser Kyaw Swar

1 REPLY
Silver

Basic NAT and routing questions

Pls try this,

static (dmz,inside) 72.22.214.121 192.168.1.121 netmask 255.255.255.255

---

Posted by WebUser Kyaw Swar

754
Views
0
Helpful
1
Replies
CreatePlease to create content