Link to home
Start Free TrialLog in
Avatar of VoyagerHealthCare
VoyagerHealthCareFlag for United States of America

asked on

ASA 5510 question

Lets say that one of my inside interfaces is set to 10.0.0.1 and my mail server is 10.0.0.254
Lets also say that I create a static map to allow traffic in from outside interface to go to mail server.
Suppose the outside interface is set to 64.64.64.64. Is there a way to config the ASA to allow a client at 10.0.0.50 to connect to 64.64.64.64? It would be like going at and back in again. (sort of).
Avatar of ricks_v
ricks_v

Yes, it's possible.
You will need split tunneling enable though, that way, LAN client will go out to 64.64.64.64 and back to mail server.

Personally, I would prefer using 10.0.0.254 address for internal clients..

Hope this helps..
Avatar of VoyagerHealthCare

ASKER

Can you tell me how to do this? Here is my shortened sanitized config.

: Saved
:
ASA Version 7.0 (8)
!
hostname DTC-FireWall
domain-name VHC.com
enable password wNjTjDTuGIWhG9bl encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 10.0.0.0 IDCnet
name 192.168.254.0 Voyager-net
name 192.168.225.0 RemoteAccess-net
name 10.254.254.0 DMZnet
name 192.168.3.0 StLouis-net
name 192.168.0.0 HillSide-net
name 10.2.7.0 Cleburne-net
name 10.2.9.0 Conroe-net
name 10.2.3.0 Houston-net
name 10.2.2.0 Dallas-net
name 10.2.10.0 McKinney-net
name 10.2.4.0 Denton-net
name 10.2.6.0 Pasadena-net
name 10.3.3.0 Newton-net
name 10.3.4.0 Parsons-net
name 10.3.5.0 Lenexa-net
name 10.3.6.0 KCMO-net
name 10.3.7.0 Hutchinson-net
name 10.3.8.0 ElDorado-net
name 10.3.9.0 McPherson-net
name 10.3.10.0 Winfield-net
name 10.3.11.0 Wellington-net
name 10.3.13.0 Salina-net
name 10.2.1.0 FTWorth-net
name 10.2.8.0 WhichitaFalls-net
name 192.168.70.0 KansasAdmin-net
name 192.168.35.0 Troy-net
name 10.2.5.0 Jacksboro-net
name 10.3.12.0 Topeka-net
name 10.7.1.0 Birmingham-net
name 10.9.1.0 SanDiego-net
name 10.10.1.0 VHH-Houston
name 192.168.30.0 Farmington-net
name 10.5.1.0 Johnston-net
name 10.20.30.0 ShadowVentures_2
name 192.168.200.0 ShadowVentures_1
dns-guard
!
interface Ethernet0/0
 nameif Outside-0
 security-level 0
 ip address 64.143.xxx.xxx 255.255.255.224
!
interface Ethernet0/1
 nameif Inside-1
 security-level 100
 ip address 10.0.0.254 255.255.254.0
!
interface Ethernet0/2
 shutdown
 nameif Inside-2
 security-level 100
 ip address 10.0.3.254 255.255.255.0
!
interface Ethernet0/3
 nameif DMZ
 security-level 50
 ip address 10.254.254.254 255.255.255.0
!
interface Management0/0
 nameif management
 security-level 100
 ip address 172.31.254.254 255.255.255.0
 management-only
!
ftp mode passive
same-security-traffic permit intra-interface
access-list IPS extended permit ip any any
access-list dmz_nonat_outbound extended permit ip DMZnet 255.255.255.0 RemoteAccess-net 255.255.255.0
access-list dmz_nonat_outbound extended permit ip DMZnet 255.255.255.0 IDCnet 255.255.254.0
access-list dmz_nonat_outbound extended permit ip DMZnet 255.255.255.0 Voyager-net 255.255.255.0
access-list dmz_nonat_outbound extended permit ip DMZnet 255.255.255.0 192.168.222.0 255.255.255.0
access-list dmz_nonat_outbound extended permit ip DMZnet 255.255.255.0 Houston-net 255.255.255.0
access-list dmz_nonat_outbound extended permit ip DMZnet 255.255.255.0 StLouis-net 255.255.255.0
access-list dmz_nonat_outbound extended permit ip DMZnet 255.255.255.0 HillSide-net 255.255.255.0
access-list dmz_nonat_outbound extended permit ip DMZnet 255.255.255.0 Dallas-net 255.255.255.0
access-list dmz_nonat_outbound extended permit ip DMZnet 255.255.255.0 172.25.200.0 255.255.254.0
access-list Shadow_1_CryptoMap extended permit ip IDCnet 255.255.254.0 ShadowVentures_1 255.255.255.0
access-list outside_access_in extended permit tcp any host 64.143.xxx.xxx eq www
access-list outside_access_in extended permit tcp any host 64.143.xxx.xxx eq https
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit icmp any any traceroute
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit tcp any host 64.143.xxx.xxx eq smtp
access-list outside_access_in extended permit tcp any host 64.143.xxx.xxx eq imap4
access-list outside_access_in extended permit tcp any host 64.143.xxx.xxx eq www
access-list split_tunnel standard permit IDCnet 255.0.0.0
access-list split_tunnel standard permit HillSide-net 255.255.0.0
access-list Johnston_CryptoMap extended permit ip IDCnet 255.255.254.0 Johnston-net 255.255.255.0
access-list Johnston_CryptoMap extended permit ip RemoteAccess-net 255.255.255.0 Johnston-net 255.255.255.0
access-list Johnston_CryptoMap extended permit ip Voyager-net 255.255.255.0 Johnston-net 255.255.255.0
access-list Johnston_CryptoMap extended permit ip HillSide-net 255.255.255.0 Johnston-net 255.255.255.0
access-list Johnston_CryptoMap extended permit ip KansasAdmin-net 255.255.255.0 Johnston-net 255.255.255.0
access-list dmz_access_in extended permit ip any host 10.0.0.90
access-list dmz_access_in extended permit ip any host 10.0.0.10
access-list dmz_access_in extended permit ip any host 10.0.0.30
access-list dmz_access_in extended permit ip any host 10.0.0.50
access-list dmz_access_in extended permit tcp any any eq www
access-list dmz_access_in extended permit tcp any any eq https
access-list dmz_access_in extended permit udp any any eq dnsix
access-list dmz_access_in extended permit icmp any any
access-list dmz_access_in extended permit ip host 10.254.254.1 any
access-list dmz_access_in extended permit ip any host 10.0.1.100
access-list inside-1_nonat_outbound extended permit ip IDCnet 255.255.254.0 Voyager-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip IDCnet 255.255.254.0 RemoteAccess-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip IDCnet 255.255.254.0 Houston-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip IDCnet 255.255.254.0 DMZnet 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip IDCnet 255.255.254.0 StLouis-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip IDCnet 255.255.254.0 HillSide-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip IDCnet 255.255.254.0 Cleburne-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip RemoteAccess-net 255.255.255.0 Cleburne-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip IDCnet 255.255.254.0 Conroe-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip RemoteAccess-net 255.255.255.0 Conroe-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip IDCnet 255.255.254.0 McKinney-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip RemoteAccess-net 255.255.255.0 McKinney-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip IDCnet 255.255.254.0 Denton-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip RemoteAccess-net 255.255.255.0 Denton-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip RemoteAccess-net 255.255.255.0 Pasadena-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip IDCnet 255.255.254.0 Jacksboro-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip RemoteAccess-net 255.255.255.0 Jacksboro-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip IDCnet 255.255.254.0 Newton-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip RemoteAccess-net 255.255.255.0 Newton-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip IDCnet 255.255.254.0 Parsons-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip RemoteAccess-net 255.255.255.0 Parsons-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip IDCnet 255.255.254.0 Lenexa-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip RemoteAccess-net 255.255.255.0 Lenexa-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip IDCnet 255.255.254.0 KCMO-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip RemoteAccess-net 255.255.255.0 KCMO-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip IDCnet 255.255.254.0 Hutchinson-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip RemoteAccess-net 255.255.255.0 Hutchinson-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip IDCnet 255.255.254.0 ElDorado-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip RemoteAccess-net 255.255.255.0 ElDorado-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip IDCnet 255.255.254.0 McPherson-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip RemoteAccess-net 255.255.255.0 McPherson-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip IDCnet 255.255.254.0 Winfield-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip RemoteAccess-net 255.255.255.0 Winfield-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip IDCnet 255.255.254.0 Wellington-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip RemoteAccess-net 255.255.255.0 Wellington-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip IDCnet 255.255.254.0 Topeka-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip RemoteAccess-net 255.255.255.0 Topeka-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip IDCnet 255.255.254.0 Salina-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip RemoteAccess-net 255.255.255.0 Salina-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip IDCnet 255.255.254.0 Birmingham-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip RemoteAccess-net 255.255.255.0 Birmingham-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip IDCnet 255.255.254.0 SanDiego-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip RemoteAccess-net 255.255.255.0 SanDiego-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip IDCnet 255.255.254.0 VHH-Houston 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip RemoteAccess-net 255.255.255.0 VHH-Houston 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip IDCnet 255.255.254.0 Farmington-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip RemoteAccess-net 255.255.255.0 Farmington-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip IDCnet 255.255.254.0 FTWorth-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip Voyager-net 255.255.255.0 Conroe-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip Voyager-net 255.255.255.0 Denton-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip Voyager-net 255.255.255.0 Jacksboro-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip Voyager-net 255.255.255.0 Pasadena-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip Voyager-net 255.255.255.0 Cleburne-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip Voyager-net 255.255.255.0 McKinney-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip Voyager-net 255.255.255.0 Farmington-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip Voyager-net 255.255.255.0 Troy-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip IDCnet 255.255.254.0 Troy-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip RemoteAccess-net 255.255.255.0 Troy-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip Voyager-net 255.255.255.0 Newton-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip Voyager-net 255.255.255.0 Parsons-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip Voyager-net 255.255.255.0 Lenexa-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip Voyager-net 255.255.255.0 KCMO-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip Voyager-net 255.255.255.0 Hutchinson-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip Voyager-net 255.255.255.0 ElDorado-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip Voyager-net 255.255.255.0 McPherson-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip Voyager-net 255.255.255.0 Winfield-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip Voyager-net 255.255.255.0 Wellington-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip Voyager-net 255.255.255.0 Topeka-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip Voyager-net 255.255.255.0 Salina-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip RemoteAccess-net 255.255.255.0 Voyager-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip Voyager-net 255.255.255.0 RemoteAccess-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip FTWorth-net 255.255.255.0 RemoteAccess-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip StLouis-net 255.255.255.0 RemoteAccess-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip Houston-net 255.255.255.0 RemoteAccess-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip WhichitaFalls-net 255.255.255.0 RemoteAccess-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip KansasAdmin-net 255.255.255.0 RemoteAccess-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip HillSide-net 255.255.255.0 RemoteAccess-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip Voyager-net 255.255.255.0 SanDiego-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip Houston-net 255.255.255.0 IDCnet 255.255.254.0
access-list inside-1_nonat_outbound extended permit ip Voyager-net 255.255.255.0 Birmingham-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip IDCnet 255.255.255.0 Pasadena-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip HillSide-net 255.255.255.0 Parsons-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip Voyager-net 255.255.255.0 VHH-Houston 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip IDCnet 255.255.254.0 ShadowVentures_1 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip IDCnet 255.255.254.0 ShadowVentures_2 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip IDCnet 255.255.254.0 Johnston-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip RemoteAccess-net 255.255.255.0 Johnston-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip Voyager-net 255.255.255.0 Johnston-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip HillSide-net 255.255.255.0 Johnston-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip KansasAdmin-net 255.255.255.0 Johnston-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip HillSide-net 255.255.255.0 Hutchinson-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip HillSide-net 255.255.255.0 ElDorado-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip HillSide-net 255.255.255.0 Topeka-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip HillSide-net 255.255.255.0 Winfield-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip HillSide-net 255.255.255.0 Newton-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip HillSide-net 255.255.255.0 Wellington-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip HillSide-net 255.255.255.0 McPherson-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip HillSide-net 255.255.255.0 Salina-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip HillSide-net 255.255.255.0 Lenexa-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip HillSide-net 255.255.255.0 KCMO-net 255.255.255.0
pager lines 24
logging asdm informational
mtu Outside-0 1500
mtu Inside-1 1500
mtu Inside-2 1500
mtu DMZ 1500
mtu management 1500
ip local pool VPN-Client-Pool 192.168.225.1-192.168.225.254 mask 255.255.255.0
no failover
asdm image disk0:/asdm-508.bin
no asdm history enable
arp timeout 14400
global (Outside-0) 1 interface
nat (Inside-1) 0 access-list inside-1_nonat_outbound
nat (Inside-1) 1 0.0.0.0 0.0.0.0
nat (DMZ) 0 access-list dmz_nonat_outbound
nat (DMZ) 1 0.0.0.0 0.0.0.0
static (DMZ,Outside-0) 64.143.xxx.xxx 10.254.254.1 netmask 255.255.255.255
static (Inside-1,Outside-0) 64.143.xxx.xxx 192.168.254.1 netmask 255.255.255.255
access-group outside_access_in in interface Outside-0
access-group dmz_access_in in interface DMZ
route Outside-0 0.0.0.0 0.0.0.0 64.143.xxx.xxx 1
route Inside-1 HillSide-net 255.255.255.0 10.0.0.1 2
route Inside-1 Voyager-net 255.255.255.0 10.0.0.1 1
route Inside-1 WhichitaFalls-net 255.255.255.0 10.0.0.1 1
route Inside-1 StLouis-net 255.255.255.0 10.0.0.1 1
route Inside-1 KansasAdmin-net 255.255.255.0 10.0.0.1 1
route Inside-1 FTWorth-net 255.255.255.0 10.0.0.1 1
route Inside-1 Houston-net 255.255.255.0 10.0.0.1 1
route Inside-1 Dallas-net 255.255.255.0 10.0.0.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server vpnusers protocol radius
aaa-server vpnusers (Inside-1) host 10.0.1.210
 key Qwerty18436572!
group-policy clientgroup internal
group-policy clientgroup attributes
 wins-server value 10.0.0.150
 dns-server value 192.168.254.249
 vpn-idle-timeout 20
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value split_tunnel
 default-domain value ah-corporate.com
 webvpn

!
class-map inspection_default
 match default-inspection-traffic
class-map My-IPS-Class
 match access-list IPS
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect icmp
 class My-IPS-Class
  ips inline fail-open
!
service-policy global_policy global
Cryptochecksum:0a779e5e66fff2031e9cfff470ce5708
: end
If I did something like the following, would it work?

static (Outside-0,DMZ)  10.254.254.1  64.143.xxx.xxx netmask 255.255.255.255

BTW, this is actually to get access for inside clients to WebPortal on DMZ interface. I cant connect on inside IP, because it is HTTPS with cert tied to outside ip.
Anybody Know how to do this?
Give this a shot:

conf t
access-list inside-1_nonat_outbound extended permit ip any 10.254.254.0 255.255.255.0

static (DMZ,Inside-1) 64.143.xxx.xxx 10.254.254.1 netmask 255.255.255.255

Actually, add this instead:

static (Inside-1,DMZ) 10.0.0.0 10.0.0.0 netmask 255.0.0.0
static (Inside-1,DMZ) 192.168.0.0 192.168.0.0 netmask 255.255.0.0

static (DMZ,Inside-1) 64.143.xxx.xxx 10.254.254.1 netmask 255.255.255.255
Hi ,I tried the second 1 and the only thing that happened was the inside network lost connectivity with 10.254.254.1 and the inside still could not talk to 64.140.xxx.xxx. I then removed the 3 lines and trid the 1st config you posted. It had the same end result as 2nd posted config change.
You will no longer be able to communicate to the DMZ server using the 10.254.254.1 IP.   You will have to use the public 64.140.x.x IP.  You used the correct 64.140.x.x IP for the DMZ server, right?  With the second config (don't use the first), you couldn't ping the DMZ server using 64.140.x.x from an inside host?  Try a "telnet 64.140.x.x 80" from a command prompt on an inside host.  Double check you used the correct public IP.  Also, the interface names in the static commands are case sensitive so make sure you typed them correctly (with the proper case) if not copying and pasting mine.
All you need from the 2nd version above is the 3rd statement.  The first statement is particularlay bad, don't go there..

But your NAT exemptions are a horror to behold, you should really simplify things some.. but down to business.
In addition to that static, you'll want to kill this statement:
no access-list dmz_nonat_outbound extended permit ip DMZnet 255.255.255.0 IDCnet 255.255.254.0

You should now be able to access the server on 64.143.x.x, but as JF said only that.  You can't use 10.254.254.1 anymore.
---
I haven't scanned the details of the networks, this post only aimed at the directly connected network 10.0.0.0/23
If you have more that needs this access, check if those 2 are'nt being NAT exempted from the DMZ.
(Truth is you probably don't need a single NAT exemption from the DMZ, beyond remote access - but I haven't proofread them).
Hello Voltz, trying it with just the 1 statement you suggested worked. But like you and Fred said, the server will no longer answer on 10.254.254.1. When needing to access this server for administrative purposes, I can comment out the Static mapping. However, this server is a member of the domain(not a DC), it will not be able to communicate with AD any longer. Is there a way to overcome this limitation?

BTW: Voltz, you mentioned the NAT exemptions being a nightmare. Can you elaborate? I know there are a bunch of them, but we have a lot of field sites comming in thru VPN's.
ASKER CERTIFIED SOLUTION
Avatar of JFrederick29
JFrederick29
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Thanks Fred. I decided to go with your last suggestion. It is working well. Thanks again.