masdf123
asked on
Cisco ASA 8.3 Configuration
Hi,
I am using ASA 5505 8.3
Setup is as follows:
2 Vlans. inside and Outside.
Outside
1.1.1.38 255.255.255.248
route outside 0.0.0.0 0.0.0.0 1.1.1.37 1
Inside:
10.1.1.1 255.255.255.0
object network obj_any
nat (inside,outside) dynamic interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network PC
host 10.1.1.39
object network PC
nat (inside,outside) static 1.1.1.39
10.1.1.39 can access the internet using => 1.1.1.39 fine.
All others can access the internet using 1.1.1.38 fine.
So when I add a ACL example:
access-list outside_in extended permit tcp any 10.1.1.39 eq smtp
access-group outside_in in interface outside
Outside smtp traffic is getting in fine (to PC 10.1.1.39). So far everything is functional.
Now, I have a PC2 (10.1.1.50) trying to access 10.1.1.39 using its public IP (1.1.1.39) which doesn't work.
It only works using the private IP: 10.1.1.39 and not the 1-to-1 public IP 1.1.1.39
Can you please assist and getting this to work using public and private IP both. Or this is not possible?
Thanks
I am using ASA 5505 8.3
Setup is as follows:
2 Vlans. inside and Outside.
Outside
1.1.1.38 255.255.255.248
route outside 0.0.0.0 0.0.0.0 1.1.1.37 1
Inside:
10.1.1.1 255.255.255.0
object network obj_any
nat (inside,outside) dynamic interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network PC
host 10.1.1.39
object network PC
nat (inside,outside) static 1.1.1.39
10.1.1.39 can access the internet using => 1.1.1.39 fine.
All others can access the internet using 1.1.1.38 fine.
So when I add a ACL example:
access-list outside_in extended permit tcp any 10.1.1.39 eq smtp
access-group outside_in in interface outside
Outside smtp traffic is getting in fine (to PC 10.1.1.39). So far everything is functional.
Now, I have a PC2 (10.1.1.50) trying to access 10.1.1.39 using its public IP (1.1.1.39) which doesn't work.
It only works using the private IP: 10.1.1.39 and not the 1-to-1 public IP 1.1.1.39
Can you please assist and getting this to work using public and private IP both. Or this is not possible?
Thanks
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
the DNS keyword doesn't solve my problem.
Hello there,
the only way to get this working is to use the dns translation as mentioned above already.
You cannot contact the public IP of your NAT'ed host from the inside, that's not possible, but what _IS_ possible is that you can access it using the DNS domain name which gets translated properly then.
Let's say, f.ex., there is a DNS record for 1.1.1.39 somewhere called "mailserver.yourdomain.com ".
When people from outside your network try to reach "mailserver.yourdomain.com ", it will resolve to 1.1.1.39.
When someone from inside your network tries to reach "mailserver.yourdomain.com ", it will also resolve to 1.1.1.39.
By specifying the "dns" keyword for the 1:1 translation in your ASA configuration, the behaviour for inside hosts will change, because the ASA knows that it needs to translate the DNS reply in the answer from your DNS server to the internal IP address of this host, so when you try to resolve the name "mailserver.yourdomain.com " from your internal network then, your clients will be able to connect to it because the ASA silently replaces the IP address 1.1.1.39 with 10.1.1.39.
bye,
Alex
the only way to get this working is to use the dns translation as mentioned above already.
You cannot contact the public IP of your NAT'ed host from the inside, that's not possible, but what _IS_ possible is that you can access it using the DNS domain name which gets translated properly then.
Let's say, f.ex., there is a DNS record for 1.1.1.39 somewhere called "mailserver.yourdomain.com
When people from outside your network try to reach "mailserver.yourdomain.com
When someone from inside your network tries to reach "mailserver.yourdomain.com
By specifying the "dns" keyword for the 1:1 translation in your ASA configuration, the behaviour for inside hosts will change, because the ASA knows that it needs to translate the DNS reply in the answer from your DNS server to the internal IP address of this host, so when you try to resolve the name "mailserver.yourdomain.com
bye,
Alex
The was a way before 8.3, don't know if this works when 'translated' to the new syntax.
But try:
object network obj-10.1.1.39
host 10.1.1.39
nat (inside,inside) static 1.1.1.39
And see if that might work.
But try:
object network obj-10.1.1.39
host 10.1.1.39
nat (inside,inside) static 1.1.1.39
And see if that might work.
ASKER
erniebeek: Can you please point out the configuration to make this work in a previous version than 8.3.
Thanks
Thanks
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER