Solved

ASA 5510 question

Posted on 2009-04-08
13
284 Views
Last Modified: 2012-05-06
Lets say that one of my inside interfaces is set to 10.0.0.1 and my mail server is 10.0.0.254
Lets also say that I create a static map to allow traffic in from outside interface to go to mail server.
Suppose the outside interface is set to 64.64.64.64. Is there a way to config the ASA to allow a client at 10.0.0.50 to connect to 64.64.64.64? It would be like going at and back in again. (sort of).
0
Comment
Question by:VoyagerHealthCare
13 Comments
 
LVL 6

Expert Comment

by:ricks_v
ID: 24102975
Yes, it's possible.
You will need split tunneling enable though, that way, LAN client will go out to 64.64.64.64 and back to mail server.

Personally, I would prefer using 10.0.0.254 address for internal clients..

Hope this helps..
0
 

Author Comment

by:VoyagerHealthCare
ID: 24103479
Can you tell me how to do this? Here is my shortened sanitized config.

: Saved
:
ASA Version 7.0 (8)
!
hostname DTC-FireWall
domain-name VHC.com
enable password wNjTjDTuGIWhG9bl encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 10.0.0.0 IDCnet
name 192.168.254.0 Voyager-net
name 192.168.225.0 RemoteAccess-net
name 10.254.254.0 DMZnet
name 192.168.3.0 StLouis-net
name 192.168.0.0 HillSide-net
name 10.2.7.0 Cleburne-net
name 10.2.9.0 Conroe-net
name 10.2.3.0 Houston-net
name 10.2.2.0 Dallas-net
name 10.2.10.0 McKinney-net
name 10.2.4.0 Denton-net
name 10.2.6.0 Pasadena-net
name 10.3.3.0 Newton-net
name 10.3.4.0 Parsons-net
name 10.3.5.0 Lenexa-net
name 10.3.6.0 KCMO-net
name 10.3.7.0 Hutchinson-net
name 10.3.8.0 ElDorado-net
name 10.3.9.0 McPherson-net
name 10.3.10.0 Winfield-net
name 10.3.11.0 Wellington-net
name 10.3.13.0 Salina-net
name 10.2.1.0 FTWorth-net
name 10.2.8.0 WhichitaFalls-net
name 192.168.70.0 KansasAdmin-net
name 192.168.35.0 Troy-net
name 10.2.5.0 Jacksboro-net
name 10.3.12.0 Topeka-net
name 10.7.1.0 Birmingham-net
name 10.9.1.0 SanDiego-net
name 10.10.1.0 VHH-Houston
name 192.168.30.0 Farmington-net
name 10.5.1.0 Johnston-net
name 10.20.30.0 ShadowVentures_2
name 192.168.200.0 ShadowVentures_1
dns-guard
!
interface Ethernet0/0
 nameif Outside-0
 security-level 0
 ip address 64.143.xxx.xxx 255.255.255.224
!
interface Ethernet0/1
 nameif Inside-1
 security-level 100
 ip address 10.0.0.254 255.255.254.0
!
interface Ethernet0/2
 shutdown
 nameif Inside-2
 security-level 100
 ip address 10.0.3.254 255.255.255.0
!
interface Ethernet0/3
 nameif DMZ
 security-level 50
 ip address 10.254.254.254 255.255.255.0
!
interface Management0/0
 nameif management
 security-level 100
 ip address 172.31.254.254 255.255.255.0
 management-only
!
ftp mode passive
same-security-traffic permit intra-interface
access-list IPS extended permit ip any any
access-list dmz_nonat_outbound extended permit ip DMZnet 255.255.255.0 RemoteAccess-net 255.255.255.0
access-list dmz_nonat_outbound extended permit ip DMZnet 255.255.255.0 IDCnet 255.255.254.0
access-list dmz_nonat_outbound extended permit ip DMZnet 255.255.255.0 Voyager-net 255.255.255.0
access-list dmz_nonat_outbound extended permit ip DMZnet 255.255.255.0 192.168.222.0 255.255.255.0
access-list dmz_nonat_outbound extended permit ip DMZnet 255.255.255.0 Houston-net 255.255.255.0
access-list dmz_nonat_outbound extended permit ip DMZnet 255.255.255.0 StLouis-net 255.255.255.0
access-list dmz_nonat_outbound extended permit ip DMZnet 255.255.255.0 HillSide-net 255.255.255.0
access-list dmz_nonat_outbound extended permit ip DMZnet 255.255.255.0 Dallas-net 255.255.255.0
access-list dmz_nonat_outbound extended permit ip DMZnet 255.255.255.0 172.25.200.0 255.255.254.0
access-list Shadow_1_CryptoMap extended permit ip IDCnet 255.255.254.0 ShadowVentures_1 255.255.255.0
access-list outside_access_in extended permit tcp any host 64.143.xxx.xxx eq www
access-list outside_access_in extended permit tcp any host 64.143.xxx.xxx eq https
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit icmp any any traceroute
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit tcp any host 64.143.xxx.xxx eq smtp
access-list outside_access_in extended permit tcp any host 64.143.xxx.xxx eq imap4
access-list outside_access_in extended permit tcp any host 64.143.xxx.xxx eq www
access-list split_tunnel standard permit IDCnet 255.0.0.0
access-list split_tunnel standard permit HillSide-net 255.255.0.0
access-list Johnston_CryptoMap extended permit ip IDCnet 255.255.254.0 Johnston-net 255.255.255.0
access-list Johnston_CryptoMap extended permit ip RemoteAccess-net 255.255.255.0 Johnston-net 255.255.255.0
access-list Johnston_CryptoMap extended permit ip Voyager-net 255.255.255.0 Johnston-net 255.255.255.0
access-list Johnston_CryptoMap extended permit ip HillSide-net 255.255.255.0 Johnston-net 255.255.255.0
access-list Johnston_CryptoMap extended permit ip KansasAdmin-net 255.255.255.0 Johnston-net 255.255.255.0
access-list dmz_access_in extended permit ip any host 10.0.0.90
access-list dmz_access_in extended permit ip any host 10.0.0.10
access-list dmz_access_in extended permit ip any host 10.0.0.30
access-list dmz_access_in extended permit ip any host 10.0.0.50
access-list dmz_access_in extended permit tcp any any eq www
access-list dmz_access_in extended permit tcp any any eq https
access-list dmz_access_in extended permit udp any any eq dnsix
access-list dmz_access_in extended permit icmp any any
access-list dmz_access_in extended permit ip host 10.254.254.1 any
access-list dmz_access_in extended permit ip any host 10.0.1.100
access-list inside-1_nonat_outbound extended permit ip IDCnet 255.255.254.0 Voyager-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip IDCnet 255.255.254.0 RemoteAccess-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip IDCnet 255.255.254.0 Houston-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip IDCnet 255.255.254.0 DMZnet 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip IDCnet 255.255.254.0 StLouis-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip IDCnet 255.255.254.0 HillSide-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip IDCnet 255.255.254.0 Cleburne-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip RemoteAccess-net 255.255.255.0 Cleburne-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip IDCnet 255.255.254.0 Conroe-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip RemoteAccess-net 255.255.255.0 Conroe-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip IDCnet 255.255.254.0 McKinney-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip RemoteAccess-net 255.255.255.0 McKinney-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip IDCnet 255.255.254.0 Denton-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip RemoteAccess-net 255.255.255.0 Denton-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip RemoteAccess-net 255.255.255.0 Pasadena-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip IDCnet 255.255.254.0 Jacksboro-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip RemoteAccess-net 255.255.255.0 Jacksboro-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip IDCnet 255.255.254.0 Newton-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip RemoteAccess-net 255.255.255.0 Newton-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip IDCnet 255.255.254.0 Parsons-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip RemoteAccess-net 255.255.255.0 Parsons-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip IDCnet 255.255.254.0 Lenexa-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip RemoteAccess-net 255.255.255.0 Lenexa-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip IDCnet 255.255.254.0 KCMO-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip RemoteAccess-net 255.255.255.0 KCMO-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip IDCnet 255.255.254.0 Hutchinson-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip RemoteAccess-net 255.255.255.0 Hutchinson-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip IDCnet 255.255.254.0 ElDorado-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip RemoteAccess-net 255.255.255.0 ElDorado-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip IDCnet 255.255.254.0 McPherson-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip RemoteAccess-net 255.255.255.0 McPherson-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip IDCnet 255.255.254.0 Winfield-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip RemoteAccess-net 255.255.255.0 Winfield-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip IDCnet 255.255.254.0 Wellington-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip RemoteAccess-net 255.255.255.0 Wellington-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip IDCnet 255.255.254.0 Topeka-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip RemoteAccess-net 255.255.255.0 Topeka-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip IDCnet 255.255.254.0 Salina-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip RemoteAccess-net 255.255.255.0 Salina-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip IDCnet 255.255.254.0 Birmingham-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip RemoteAccess-net 255.255.255.0 Birmingham-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip IDCnet 255.255.254.0 SanDiego-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip RemoteAccess-net 255.255.255.0 SanDiego-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip IDCnet 255.255.254.0 VHH-Houston 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip RemoteAccess-net 255.255.255.0 VHH-Houston 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip IDCnet 255.255.254.0 Farmington-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip RemoteAccess-net 255.255.255.0 Farmington-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip IDCnet 255.255.254.0 FTWorth-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip Voyager-net 255.255.255.0 Conroe-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip Voyager-net 255.255.255.0 Denton-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip Voyager-net 255.255.255.0 Jacksboro-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip Voyager-net 255.255.255.0 Pasadena-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip Voyager-net 255.255.255.0 Cleburne-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip Voyager-net 255.255.255.0 McKinney-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip Voyager-net 255.255.255.0 Farmington-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip Voyager-net 255.255.255.0 Troy-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip IDCnet 255.255.254.0 Troy-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip RemoteAccess-net 255.255.255.0 Troy-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip Voyager-net 255.255.255.0 Newton-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip Voyager-net 255.255.255.0 Parsons-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip Voyager-net 255.255.255.0 Lenexa-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip Voyager-net 255.255.255.0 KCMO-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip Voyager-net 255.255.255.0 Hutchinson-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip Voyager-net 255.255.255.0 ElDorado-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip Voyager-net 255.255.255.0 McPherson-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip Voyager-net 255.255.255.0 Winfield-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip Voyager-net 255.255.255.0 Wellington-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip Voyager-net 255.255.255.0 Topeka-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip Voyager-net 255.255.255.0 Salina-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip RemoteAccess-net 255.255.255.0 Voyager-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip Voyager-net 255.255.255.0 RemoteAccess-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip FTWorth-net 255.255.255.0 RemoteAccess-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip StLouis-net 255.255.255.0 RemoteAccess-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip Houston-net 255.255.255.0 RemoteAccess-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip WhichitaFalls-net 255.255.255.0 RemoteAccess-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip KansasAdmin-net 255.255.255.0 RemoteAccess-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip HillSide-net 255.255.255.0 RemoteAccess-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip Voyager-net 255.255.255.0 SanDiego-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip Houston-net 255.255.255.0 IDCnet 255.255.254.0
access-list inside-1_nonat_outbound extended permit ip Voyager-net 255.255.255.0 Birmingham-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip IDCnet 255.255.255.0 Pasadena-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip HillSide-net 255.255.255.0 Parsons-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip Voyager-net 255.255.255.0 VHH-Houston 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip IDCnet 255.255.254.0 ShadowVentures_1 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip IDCnet 255.255.254.0 ShadowVentures_2 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip IDCnet 255.255.254.0 Johnston-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip RemoteAccess-net 255.255.255.0 Johnston-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip Voyager-net 255.255.255.0 Johnston-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip HillSide-net 255.255.255.0 Johnston-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip KansasAdmin-net 255.255.255.0 Johnston-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip HillSide-net 255.255.255.0 Hutchinson-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip HillSide-net 255.255.255.0 ElDorado-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip HillSide-net 255.255.255.0 Topeka-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip HillSide-net 255.255.255.0 Winfield-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip HillSide-net 255.255.255.0 Newton-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip HillSide-net 255.255.255.0 Wellington-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip HillSide-net 255.255.255.0 McPherson-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip HillSide-net 255.255.255.0 Salina-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip HillSide-net 255.255.255.0 Lenexa-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip HillSide-net 255.255.255.0 KCMO-net 255.255.255.0
pager lines 24
logging asdm informational
mtu Outside-0 1500
mtu Inside-1 1500
mtu Inside-2 1500
mtu DMZ 1500
mtu management 1500
ip local pool VPN-Client-Pool 192.168.225.1-192.168.225.254 mask 255.255.255.0
no failover
asdm image disk0:/asdm-508.bin
no asdm history enable
arp timeout 14400
global (Outside-0) 1 interface
nat (Inside-1) 0 access-list inside-1_nonat_outbound
nat (Inside-1) 1 0.0.0.0 0.0.0.0
nat (DMZ) 0 access-list dmz_nonat_outbound
nat (DMZ) 1 0.0.0.0 0.0.0.0
static (DMZ,Outside-0) 64.143.xxx.xxx 10.254.254.1 netmask 255.255.255.255
static (Inside-1,Outside-0) 64.143.xxx.xxx 192.168.254.1 netmask 255.255.255.255
access-group outside_access_in in interface Outside-0
access-group dmz_access_in in interface DMZ
route Outside-0 0.0.0.0 0.0.0.0 64.143.xxx.xxx 1
route Inside-1 HillSide-net 255.255.255.0 10.0.0.1 2
route Inside-1 Voyager-net 255.255.255.0 10.0.0.1 1
route Inside-1 WhichitaFalls-net 255.255.255.0 10.0.0.1 1
route Inside-1 StLouis-net 255.255.255.0 10.0.0.1 1
route Inside-1 KansasAdmin-net 255.255.255.0 10.0.0.1 1
route Inside-1 FTWorth-net 255.255.255.0 10.0.0.1 1
route Inside-1 Houston-net 255.255.255.0 10.0.0.1 1
route Inside-1 Dallas-net 255.255.255.0 10.0.0.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server vpnusers protocol radius
aaa-server vpnusers (Inside-1) host 10.0.1.210
 key Qwerty18436572!
group-policy clientgroup internal
group-policy clientgroup attributes
 wins-server value 10.0.0.150
 dns-server value 192.168.254.249
 vpn-idle-timeout 20
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value split_tunnel
 default-domain value ah-corporate.com
 webvpn

!
class-map inspection_default
 match default-inspection-traffic
class-map My-IPS-Class
 match access-list IPS
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect icmp
 class My-IPS-Class
  ips inline fail-open
!
service-policy global_policy global
Cryptochecksum:0a779e5e66fff2031e9cfff470ce5708
: end
0
 

Author Comment

by:VoyagerHealthCare
ID: 24103706
If I did something like the following, would it work?

static (Outside-0,DMZ)  10.254.254.1  64.143.xxx.xxx netmask 255.255.255.255

BTW, this is actually to get access for inside clients to WebPortal on DMZ interface. I cant connect on inside IP, because it is HTTPS with cert tied to outside ip.
0
 

Author Comment

by:VoyagerHealthCare
ID: 24110110
Anybody Know how to do this?
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24118556
Give this a shot:

conf t
access-list inside-1_nonat_outbound extended permit ip any 10.254.254.0 255.255.255.0

static (DMZ,Inside-1) 64.143.xxx.xxx 10.254.254.1 netmask 255.255.255.255

0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24120632
Actually, add this instead:

static (Inside-1,DMZ) 10.0.0.0 10.0.0.0 netmask 255.0.0.0
static (Inside-1,DMZ) 192.168.0.0 192.168.0.0 netmask 255.255.0.0

static (DMZ,Inside-1) 64.143.xxx.xxx 10.254.254.1 netmask 255.255.255.255
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 

Author Comment

by:VoyagerHealthCare
ID: 24120809
Hi ,I tried the second 1 and the only thing that happened was the inside network lost connectivity with 10.254.254.1 and the inside still could not talk to 64.140.xxx.xxx. I then removed the 3 lines and trid the 1st config you posted. It had the same end result as 2nd posted config change.
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24121619
You will no longer be able to communicate to the DMZ server using the 10.254.254.1 IP.   You will have to use the public 64.140.x.x IP.  You used the correct 64.140.x.x IP for the DMZ server, right?  With the second config (don't use the first), you couldn't ping the DMZ server using 64.140.x.x from an inside host?  Try a "telnet 64.140.x.x 80" from a command prompt on an inside host.  Double check you used the correct public IP.  Also, the interface names in the static commands are case sensitive so make sure you typed them correctly (with the proper case) if not copying and pasting mine.
0
 
LVL 15

Expert Comment

by:Voltz-dk
ID: 24122701
All you need from the 2nd version above is the 3rd statement.  The first statement is particularlay bad, don't go there..

But your NAT exemptions are a horror to behold, you should really simplify things some.. but down to business.
In addition to that static, you'll want to kill this statement:
no access-list dmz_nonat_outbound extended permit ip DMZnet 255.255.255.0 IDCnet 255.255.254.0

You should now be able to access the server on 64.143.x.x, but as JF said only that.  You can't use 10.254.254.1 anymore.
---
I haven't scanned the details of the networks, this post only aimed at the directly connected network 10.0.0.0/23
If you have more that needs this access, check if those 2 are'nt being NAT exempted from the DMZ.
(Truth is you probably don't need a single NAT exemption from the DMZ, beyond remote access - but I haven't proofread them).
0
 

Author Comment

by:VoyagerHealthCare
ID: 24123007
Hello Voltz, trying it with just the 1 statement you suggested worked. But like you and Fred said, the server will no longer answer on 10.254.254.1. When needing to access this server for administrative purposes, I can comment out the Static mapping. However, this server is a member of the domain(not a DC), it will not be able to communicate with AD any longer. Is there a way to overcome this limitation?

BTW: Voltz, you mentioned the NAT exemptions being a nightmare. Can you elaborate? I know there are a bunch of them, but we have a lot of field sites comming in thru VPN's.
0
 
LVL 43

Accepted Solution

by:
JFrederick29 earned 500 total points
ID: 24123046
You can't access it by the 10.254.254.1 address with this configuration.

Maybe you should take a different approach.  If you have internal DNS servers, create a zone for the website domain and create an A record for the www but pointing to the 10.254.254.1 address.  The certificate should be for the hostname (not the IP) so you won't get a mismatch as long as you are connecting to the website by domain name.
0
 

Author Closing Comment

by:VoyagerHealthCare
ID: 31568277
Thanks Fred. I decided to go with your last suggestion. It is working well. Thanks again.
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

I have seen some questions on problems with SSH/telnet access to Cisco routers that may occur despite the fact that from a PC connected to your LAN, Internet connectivity is in place and users can access Internet sites without any issues.  There are…
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now