Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

asa5510 connection from dmz to same dmz over public ip

hello, i still have the problem that im not able to connect inside dmz (nat used) to another server inside same dmz over his public ip.

example: i want connect from web server 192.168.101.119 to database server 192.168.101.118 and using for that his public ip: 212.172.190.118

can anyone help me pls?

access-list LAN_nat0_outbound extended permit ip any 192.168.105.0 255.255.255.0

access-list outside_access_in extended permit tcp any host 212.172.190.119 eq www

access-list outside_access_in extended permit tcp any host 212.172.190.118 eq 5432

access-list outside_access_in extended permit udp any any eq domain

access-list outside_access_in extended permit tcp any host 212.203.110.200 eq www

access-list outside_access_out extended permit tcp any any

global (outside) 1 212.172.190.99-212.172.190.126 netmask 255.255.255.224

global (outside) 2 212.203.110.194-212.203.110.254 netmask 255.255.255.224

global (outside) 111 interface

global (inside) 100 192.168.100.2-192.168.100.254 netmask 255.255.255.0

global (dmz1) 101 192.168.101.2-192.168.101.254 netmask 255.255.255.0

global (dmz2) 102 192.168.102.2-192.168.102.254 netmask 255.255.255.0

nat (inside) 0 access-list LAN_nat0_outbound

nat (inside) 111 0.0.0.0 0.0.0.0

nat (management) 0 0.0.0.0 0.0.0.0

static (dmz1,outside) 212.172.190.118 192.168.101.118 netmask 255.255.255.255

static (dmz1,outside) 212.172.190.119 192.168.101.119 netmask 255.255.255.255

access-group outside_access_in in interface outside

access-group outside_access_out out interface outside

route outside 212.203.111.0 255.255.255.224 212.203.111.193 1

route outside 0.0.0.0 0.0.0.0 212.172.190.97 1

1 REPLY

Re: asa5510 connection from dmz to same dmz over public ip

Within the segment, or in your case, DMZ, all hosts in that segment need to communicate with their own physical IP (under the same subnet group), not NATted public IP.

Example, the 192.168.101.119 server must and can only talk to 192.168.101.118, not the 192.168.101.118's Public IP, which is 212.172.190.118. No communication can and will ever take place if any 192.168.101.x host try to talk to any server within the same segment using the target server's Public IP Address, and PIX will never allow it.

The reason you NAT or MAP your private IP to a Public IP is only to allow outside/internet users to access your DMZ server via a routable/recognize Public IP.

As far as PIX is concerned, this is only a virtual IP for DMZ host to have external connection/session be initiated from outside, not by any member hosts within the same DMZ segment, or any other segment with lower security level.

So, if you want to allow any host in DMZ to talk to each other, use their own physical IP Addresses (192.168.101.x), not the NATted address. I am sure you can always ping any host/server in DMZ using their own 192.168.101.x IP, but not the Public IP of the machine (will get timed-out).

If you wanted to simply test the reachability of your DMZ server from internet, you can do it either from your internet router, or connect your laptop to the same segment of your PIX Outside interface and internet router FE, or have somebody who has internet access to ping or access it via whatever services you opened, i.e ftp, www and so on.

HTH

AK

135
Views
5
Helpful
1
Replies
CreatePlease to create content