cisco asa 5510 static nat hairpining

i have an ASA that on the inside has the local lan 192.168.208.0/24. In that lan i have both PC's and a server 192.168.208.6 which is assigned static nat/pat to a certain outside IP. the thing is that i can see the server from outside, and from basic hairpining i can even see it from itself by going to http://189.210.x.x/ but i cannot seem to make it work on the other LAN PC's which is quite weird. Can you help me sort it out ?

name 189.210.x.x SERVER_OUTSIDE
name 192.168.208.6 SERVER_INSIDE
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
global (Outside) 1 interface
nat (Inside) 0 access-list Inside_nat0_outbound
nat (Inside) 1 0.0.0.0 0.0.0.0
static (Inside,Outside) SERVER_OUTSIDE SERVER_INSIDE netmask 255.255.255.255
static (Inside,Inside) SERVER_OUTSIDE SERVER_INSIDE netmask 255.255.255.255
access-group Outside_access_in in interface Outside
access-group Inside_access_in in interface Inside
access-list Inside_access_in extended permit ip any any
access-list Outside_access_in extended permit tcp any host SERVER_OUTSIDE eq www

Open in new window

cristiansavaAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

cristiansavaAuthor Commented:
btw i am using an older IOS : 8.2 (5)
0
MarcusSjogrenCommented:
Hi,

I think you need to add the following line for it to work:

global (inside) 1 interface

It will enable PAT for returning traffic.

There is another solution to this as well. Basically add the word "dns" to the NAT-command and it will use "DNS Doctoring" which will change DNS requests regarding your public IP and respond with the internal IP, a DNS-NAT one could say.
This requires that you are using an external DNS though so the DNS-requests are going through the firewall.

Command:
static (inside,outside) SERVER_OUTSIDE SERVER_INSIDE netmask 255.255.255.255 dns





Marcus
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
cristiansavaAuthor Commented:
i will try the global inside statement. the dns doctoring i already tried out with no effect.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.