computication
asked on
Cisco ASA - is it possibe that the NAT rules are accessible from the internal network
Hello,
i'm searching for the following.
I have a few Cisco ASA firewalls to manage. I'm wondering if the following is possible: (example)
I got a mail server with webmail in my internal netwerk (Internal ip is for exampje: 192.168.1.1. On my Cisco ASA i create a NAT/Firewall rule that webmail is accessible from the internet. (External ip is for example) 82.1.1.1
I create a extenal DNS entry that webmail.example.com directs to: 82.1.1.1.
But now it is not possible to access webmail from the internal network with the created DNS entry.
I solve this by creating a internal DNS entry that points to the internal adress 192.168.1.1.
This costs me a lot of double work.
Is there a way that the Cisco ASA understands that when i try to access webmail from it's own external address that it directs me trough the NAT rule back inside the internal network to my mail server.
If it is not completly clear i could make you a visio drawing.
i'm searching for the following.
I have a few Cisco ASA firewalls to manage. I'm wondering if the following is possible: (example)
I got a mail server with webmail in my internal netwerk (Internal ip is for exampje: 192.168.1.1. On my Cisco ASA i create a NAT/Firewall rule that webmail is accessible from the internet. (External ip is for example) 82.1.1.1
I create a extenal DNS entry that webmail.example.com directs to: 82.1.1.1.
But now it is not possible to access webmail from the internal network with the created DNS entry.
I solve this by creating a internal DNS entry that points to the internal adress 192.168.1.1.
This costs me a lot of double work.
Is there a way that the Cisco ASA understands that when i try to access webmail from it's own external address that it directs me trough the NAT rule back inside the internal network to my mail server.
If it is not completly clear i could make you a visio drawing.
Have a look at:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968c8.shtml
That might be what you need.
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968c8.shtml
That might be what you need.
I have to agree with Ernie. Thats the example you need.
ASKER
That looks like what it should be. Unless i don't have a DMZ.
i tried this commando:
It doesn't work for now, i will spend some more time on it later.
i tried this commando:
static (outside,inside) 82.1.1.1 192.168.1.1 netmask 255.255.255.255 dnsIt doesn't work for now, i will spend some more time on it later.
Oh wait, this is the document with two interface (inside and outside): http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968d1.shtml
hi,
you shoud revert outside and inside into the static command:
static (inside,outside) 82.1.1.1 192.168.1.1 netmask 255.255.255.255 dns
max
you shoud revert outside and inside into the static command:
static (inside,outside) 82.1.1.1 192.168.1.1 netmask 255.255.255.255 dns
max
ASKER
Ah i'm starting to get a clue of it.
But...
when i do:
static (inside,outside) 82.1.1.1 192.168.1.1 netmask 255.255.255.255 dns
i recieve the error:
ERROR: Static PAT using the interface requires the use of the 'interface' keyword instead of the interface IP address
But...
when i do:
static (inside,outside) 82.1.1.1 192.168.1.1 netmask 255.255.255.255 dns
i recieve the error:
ERROR: Static PAT using the interface requires the use of the 'interface' keyword instead of the interface IP address
Use the alias command
alias (inside) 192.168.1.1 82.1.1.1 255.255.255.255
This makes it so that any inside connections that try to reach 82.1.1.1 will be sent to 192.168.1.1 instead.
alias (inside) 192.168.1.1 82.1.1.1 255.255.255.255
This makes it so that any inside connections that try to reach 82.1.1.1 will be sent to 192.168.1.1 instead.
Hi,
ERROR: Static PAT using the interface requires the use of the 'interface' keyword instead of the interface IP address
... is telling you that you're using ASA's IP address itself. If you want to use the dns keyword efficiently, you'd better use another public IP to NAT your server
max
ERROR: Static PAT using the interface requires the use of the 'interface' keyword instead of the interface IP address
... is telling you that you're using ASA's IP address itself. If you want to use the dns keyword efficiently, you'd better use another public IP to NAT your server
max
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
No solution
It should be possible (though not recommended), just let me see where I left that documentation......