ASA5520 bidirectional NAT

Cisco Asa 5520 vpn/firewall
January 27, 2011 at 13:59:51
Specs: Windows XP
This is probably super-simple.

I'm trying to allow access to a web server behind our ASA5520. I've added the NAT route and everything works fine from the web, except no one inside the network can access the server using the outside address. What am I overlooking?


See More: ASA5520 bidirectional NAT

Report •


#1
January 27, 2011 at 14:14:06
They are supposed to use the internal IP address. There is no reason to go through the net.

How do you know when a politician is lying? His mouth is moving.


Report •

#2
January 27, 2011 at 14:20:19
If we have a link on a public website to http://24.284.55.129/files/bigvideo... they will get a server error if they're inside the network.

Report •

#3
January 27, 2011 at 14:27:07
You should normally use indirect links at the web server, so that websites, that are living at the webserver itself will work independently of the ip address of the web server.
In that case, it doesn't matter, whether the websites are requested internal or external.
It's also better, if you may change the ISP, you'll get a completely other ip address for your web server, you don't have to make changes to the websites itself.

Click Here on HowTo ask good Question to get best Help
Let us know, if the problem is solved !!!


Report •

Related Solutions

#4
January 27, 2011 at 14:41:19
I'm not looking for an alternate setup. I simply want to be able to communicate with this device via its public NAT IP regardless of where I am in relation to the firewall.

But just for grins, let's say I have website.com pointing to 24.5.5.10. In the firewall, I have 24.5.5.10 being translated to 192.168.1.254, the address of our webserver. If I type website.com, our website loads. But if I go to the office and am behind the firewall, I type website.com and it fails.

I need to allow traffic from the inside port (192.168.0.0) to communicate with 24.5.5.10.


Report •

#5
January 27, 2011 at 15:40:38
You should have an internal dns server. Seems pretty simple to create a alias for "website.com" to point to the local web servers ip.

Answers are only as good as the information you provide.
How to properly post a question:
Sorry no tech support via PM's


Report •

#6
January 27, 2011 at 15:51:08
Make an entry in the hosts file.

How do you know when a politician is lying? His mouth is moving.


Report •

#7
January 27, 2011 at 15:55:47
If you are using an internal DNS server, you can also create an DNS entry for website.com, pointing to the internal ip address of the web server.

Click Here on HowTo ask good Question to get best Help
Let us know, if the problem is solved !!!


Report •

#8
January 27, 2011 at 16:14:46
http://24.284.55.129/files/bigvideo..

BTW, that's not an internal IP.

How do you know when a politician is lying? His mouth is moving.


Report •

#9
January 27, 2011 at 17:21:05
Of course it's not an internal ip. It's not even a VALID IP. It's hypothetical. As is the domain name.

But I'm not planning on using a domain name. We have a website hosted elsewhere that has limits and restrictions on certain things. I just want to make a link to a file that we're hosting internally. This is not something we're going to be doing often, i'm not looking for hosting alternatives. Our IPs are not changing.

Surely there is a simple config setting for this. No one?


Report •

#10
January 28, 2011 at 07:58:10
You can use the hosts file to make it work but that has to be done on each machine. My point was that if you are hosting your own site, the users on the LAN access it internally. They don't access it the same way I would from here.

Either that or put it in the DMZ. Most people want it there anyway for LAN security.

How do you know when a politician is lying? His mouth is moving.


Report •

#11
January 28, 2011 at 08:10:42
I can't use a hosts file to re-route an IP.

Report •

#12
January 28, 2011 at 10:24:49
It just tells it where to look.

How do you know when a politician is lying? His mouth is moving.


Report •

#13
January 28, 2011 at 10:40:47
lavascript why do you think you need to redirect?

In other words you have a local name resolution issue.

This is not a issue of trying to make routing do something its not designed to do which is "bounce" off a wan interface to get to the local web server.

Answers are only as good as the information you provide.
How to properly post a question:
Sorry no tech support via PM's


Report •


Ask Question