NAT/PAT problems - ASA / ASDM

We deployed an ASA 5505 to handle our network firewall/routing in our office, and have discovered that we cannot connect to services via our external address.


Connected internally to our network, we were able to get to services running internally but from our external address. When we try from a connection outside of our network, it's fine:

Our internal network connects us at 192.168.x.x. , and we have servers running services that are definitely up and working (verified) when connecting internally. We need to be able to connect via our external IP from inside our network. We're using an ASA5505 with ASA 8.2, which we're managing via ASDM 6.2.

What sort of rules do we need to add to make this happen?

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

luc_roySystem AdminCommented:
The first question would be do you have multiple public IP’s? If you are planning on providing more than one service and you want them to each get an IP that can become costly.  

You can static NAT an external IP to an internal one, here is an excellent tutorial

you can also do it by port if you only have one IP and want to map your public IP to a private IP and direct them to a particular port, HTTP, FTP, etc…

The only issue with this is getting people to remember the IP’s.  Once you have the static NAT in place  you might want to use a service like GO Daddy to redirect a domain to your IP so people do not need to remember an IP but a relevant domain name.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
pulseeenergyAuthor Commented:
All of our services are redirected through a single external IP (209.x.x.1) , and we have rules in place to direct that traffic to various servers etc. We have a number of developers trying to ssh into one of our servers using a tunnel that's configured to connect at the external address. Additionally, they have a number of things going on that rely on that setup.

Pete LongTechnical ConsultantCommented:
You need to set up port forwarding
Note to port forward SSH make sure you dont have and SSH access set up on the outside interface
Issue a "show run ssh" to see
pulseeenergyAuthor Commented:
And that would allow connectivity in that manner even if they're inside of that network?
luc_roySystem AdminCommented:
yes it would.  You just need to make sure you set up a forward for each port you are using.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.