CISCO ASA, how do you allow an internal client to access a machine on another VLAN that resolves with a public IP?
Network security is needed, or you’re pretty much SOL. Cisco ASA-5505, I am utilizing NAT and have an internal interface and a DMZ interface. If you ping a website hosted by our webserver in the DMZ, the IP resolves to the external IP of the ASA. This is because well, web DNS is hosted by our ISP. Now when you try to access the site from the internal interface, it won’t work. I don’t know why, but I think it’s because it would try to exit and reenter the router.
The fix is, create a destination NAT. In the ASDM, click configuration on the top, and then NAT on the left menu. Click the ADD button and choose ADD static NAT. The real address is the internal dmz address of the webserver (10.1.x.x) and the interface is the DMZ. Under static translation, the interface would be the interface that you want to access the web server from (10.2.x.x), and the IP address is the public IP address (24.x.x.x) that gets resolved when you try and ping the www address.
Related posts:
Richard Clayton
11 Mar, 2009
I tried this and it works but I need to go a step further, if a user on the inside wanted not just one public IP to nat through to a dmz IP address but wanted say a whole /24 of public IP’s to nat to one dmz address, would this be possible and how?
shank
11 Mar, 2009
So you want a /24 lot of public addresses to pass through the routher into one DMZ address?