Solved

Can I set our ASA5520 to allow a user from within the LAN to connect to an external IP address which is on the WAN interface of our Firewall?

Posted on 2010-09-16
4
468 Views
Last Modified: 2012-06-21
Currently I have a number of clients within our network who have their own VLAN's. We have allocated them Public IP addresses on our firewall which NAT through to their VLAN's. When outside of our network they can connect to these public IP addresses on port 80, 21 etc depending on the services the have running. however when they are inside our network they cannot connect to these public IP addresses at all.

Is it possible to configure this and where do I do it. I am currently running an ASA5520 firewall with ASA version 7.2(1)
0
Comment
Question by:btec_bob
  • 2
4 Comments
 
LVL 17

Accepted Solution

by:
Kvistofta earned 300 total points
ID: 33692734
Short answer: no.

A basic limitation of ASA is that if you have a internal resource which is public available thru nat, you cannot access that internal host from anoter internal host via its public IP.

There are ways around this. One is to use DNS to reach that resource. If the DNS is internal you can configure it to give out the inside/real ip. If the DNS-server is public you can make your internal hosts go thru the firewall to do dns lookup and by using "dns"-parameter for the static-command of the goal resource you can make the ASA replace the ip in the DNS-answer from the public ip to the internal/private.

/Kvistofta
0
 
LVL 5

Assisted Solution

by:StefanKamp
StefanKamp earned 200 total points
ID: 33693378
Agree on kvistofta's comment; It's called dns-rewrite. A similar setup can be found here:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968c8.shtml
0
 

Author Closing Comment

by:btec_bob
ID: 33694934
Both answers were acurate and the additional submission had more detail on how to configure it.
0
 
LVL 5

Expert Comment

by:StefanKamp
ID: 33695035
Thanks for the point
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Port forwarding in Cisco RV215w 2 60
ASA 5506-X 7 112
need rec's for prioritizing bandwidth for new voip system 12 89
Cisco ASA policy-map not matching the specific traffic 3 63
Optimal Xbox 360 connectivity requires "OPEN NAT". If you use Juniper Netscreen or SSG firewall products in a home setting, the following steps will allow you get rid of the dreaded warning screen below and achieve the best online gaming environment…
Network traffic routing plays key role in your network, if you have single site with heavy browsing or multiple sites, replicating important application data from your Primary Default Gateway ,you have to route your other network traffic from your p…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

808 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question