Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 350
  • Last Modified:

Cisco ASA - is it possibe that the NAT rules are accessible from the internal network

Hello,

i'm searching for the following.

I have a few Cisco ASA firewalls to manage. I'm wondering if the following is possible: (example)

I got a mail server with webmail in my internal netwerk (Internal ip is for exampje: 192.168.1.1. On my Cisco ASA i create a NAT/Firewall rule that webmail is accessible from the internet. (External ip is for example) 82.1.1.1

I create a extenal DNS entry that webmail.example.com directs to: 82.1.1.1.

But now it is not possible to access webmail from the internal network with the created DNS entry.

I solve this by creating a internal DNS entry that points to the internal adress 192.168.1.1.

This costs me a lot of double work.

Is there a way that the Cisco ASA understands that when i try to access webmail from it's own external address that it directs me trough the NAT rule back inside the internal network to my mail server.

If it is not completly clear i could make you a visio drawing.
0
computication
Asked:
computication
  • 4
  • 3
  • 2
  • +2
1 Solution
 
Ernie BeekExpertCommented:
Well, this is by design. You have the 'public ip' DNS, the internet side, and the 'private ip' DNS to resolve internal hostnames (normally in a private ip range). So I assume you don't have a DNS server on your network?

It should be possible (though not recommended), just let me see where I left that documentation......
0
 
Ernie BeekExpertCommented:
0
 
Robert Sutton JrSenior Network ManagerCommented:
I have to agree with Ernie. Thats the example you need.
0
Managing Security Policy in a Changing Environment

The enterprise network environment is evolving rapidly as companies extend their physical data centers to embrace cloud computing and software-defined networking. This new reality means that the challenge of managing the security policy is much more dynamic and complex.

 
computicationAuthor Commented:
That looks like what it should be. Unless i don't have a DMZ.

i tried this commando:

static (outside,inside) 82.1.1.1 192.168.1.1 netmask 255.255.255.255 dns

Open in new window


It doesn't work for now, i will spend some more time on it later.
0
 
Ernie BeekExpertCommented:
Oh wait, this is the document with two interface (inside and outside): http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968d1.shtml
0
 
max_the_kingCommented:
hi,
you shoud revert outside and inside into the static command:

static (inside,outside) 82.1.1.1 192.168.1.1 netmask 255.255.255.255 dns

max
0
 
computicationAuthor Commented:
Ah i'm starting to get a clue of it.

But...

when i do:

static (inside,outside) 82.1.1.1 192.168.1.1 netmask 255.255.255.255 dns

i recieve the error:

ERROR: Static PAT using the interface requires the use of the 'interface' keyword instead of the interface IP address
0
 
SepistCommented:
Use the alias command

alias (inside) 192.168.1.1 82.1.1.1 255.255.255.255

This makes it so that any inside connections that try to reach 82.1.1.1 will be sent to 192.168.1.1 instead.
0
 
max_the_kingCommented:
Hi,

ERROR: Static PAT using the interface requires the use of the 'interface' keyword instead of the interface IP address

... is telling you that you're using ASA's IP address itself. If you want to use the dns keyword efficiently, you'd better use another public IP to NAT your server

max
0
 
computicationAuthor Commented:
I havn't got any further on this case and i accepted that it will not work an easy way. i thought it would be an easy thing.
0
 
computicationAuthor Commented:
No solution
0

Featured Post

Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

  • 4
  • 3
  • 2
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now