Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

how to let inside user access outside NATed IP addresses?

Hello!

Recently I've setup ASA5510 to meet the following criterias:

Cr1. inside users go to Internet with a single ip address (outside interface)

Cr2. DMZ contains http, mail servers that are NAT'ed to outside network

Cr3. Inside users access http, mail servers by their DMZ IP addresses (I split DNS here)

I would like to make some improvements to this config:

I1. Access to these NATed services from inside without need to split DNS, so I could use just one external DNS. Please note that I do not want to move both servers to outside and prefer to keep them on the DMZ.

I2. Make users from inside appear on Internet with a group of IP addresses instead of one single IP of outside ASA interface.

I3. NAT an inside Lotus Domino server to outside IP and be able to access it from inside by using it's NATed outside address as well as it's inside IP.

Improvement #3 I've half done easily, but cannot figure out how to make inside users access neither DMZ nor Inside hosts by their NATed outside IPs.

Any suggestions are greatly appreciated!

Thank you!

  • Network Management
1 ACCEPTED SOLUTION

Accepted Solutions

Re: how to let inside user access outside NATed IP addresses?

3 REPLIES

Re: how to let inside user access outside NATed IP addresses?

New Member

Re: how to let inside user access outside NATed IP addresses?

Thank you a lot! That worked.

New Member

Re: how to let inside user access outside NATed IP addresses?

Clark, could you comment if the following scenario is possible?

DMZ host I binated for inside users to connect onto outside address, this is cool. But I also have VPN users sitting in France, my dmz server must push email to through vpn site-to-site. So, what should be done here? NAT dmz address to inside network cannot be done as I already have (inside,dmz) dmz.address,external.address command and another (inside,dmz)dmz.address,inside.address would overlap the existing one.

Any chance of one host to NAT for two different addresses or this could be otherwise?

Thank you!

220
Views
5
Helpful
3
Replies