accessing another device on inside network via external ip

[kr5]

I have an ASA 5510. Inside interface is 10.30.0.1, connects to a 3750. The 3750 does all the vlans and inter-vlan routing.

User network is in 10.1.0.0/24, web servers in 10.2.0.0.

The web servers in 10.2.0.0/24 have static nats to 1.1.1.x and proper access list rules to allow access to the external ip, port 80 from the outside interface.

There is a global nat for 10.1.0.0/24 to 1.1.1.2.

I can access http;//10.2.0.10 from the user network,since that goes directly through the switch, but

http://1.1.1.10,

which is the external nat for 10.2.0.10 does not work.

I am trying to avoid having to re-do a bunch of local dns changes, which is the only other option i see.

Am I missing some sort of nat translation that maps the external nat'd address back to the inside network?

 

[North323]

you can post a scrubbed config

 

[kr5]

This is pretty much the gist of it.

ASA Version 8.0(2)
!
hostname ASA5510-FW1
interface Ethernet0/0
nameif outside
security-level 0
ip address X.X.160.254 255.255.252.0 standby X.X.160.250
!
interface Ethernet0/1
no nameif
no security-level
no ip address
!
interface Ethernet0/2
no nameif
no security-level
no ip address
!
interface Ethernet0/3
no nameif
no security-level
no ip address
!
interface Management0/0
description LAN Failover Interface
!
interface Redundant1
member-interface Ethernet0/1
member-interface Ethernet0/2
nameif inside
security-level 100
ip address 10.30.0.251 255.255.255.0 standby 10.30.0.250
same-security-traffic permit intra-interface

access-list StaffNat extended permit ip 10.1.0.0 255.255.255.0 any
access-list In-ACL extended permit tcp any host X.X.162.232 eq www

global (outside) 1 X.X.160.252 netmask 255.255.255.255
nat (inside) 1 access-list StaffNat
static (inside,outside) X.X.162.232 10.3.0.232 netmask 255.255.255.255

access-group In-ACL in interface outside
route outside 0.0.0.0 0.0.0.0 X.X.162.253 1
route inside 10.1.0.0 255.255.255.0 10.30.0.254 1
route inside 10.2.0.0 255.255.255.0 10.30.0.254 1
route inside 10.3.0.0 255.255.255.0 10.30.0.254 1

 

[unclerico]

check out the alias command

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[kr5]

Ok, I added alias (inside) X.X.162.232 10.3.0.232 255.255.255.255


still no dice.

 

[andrewis]

The public is x.x.162.232 and the private is 10.3.0.232?

i.e

http://x.x.162.232

->

http://10.3.0.232

If so your config is fine, try a "clear xlate"

Confused why you mention 1.1.1.10 and 10.2.0.10 in your first post?

 

[kr5]

Just over sanitizing at first....I will try the cl xlate.

 

[brianinms]

Are the internal hosts getting the external address via dns resolution?

 

[kr5]

The network isn't live yet so they are not pulling any DNS, I was just testing from a router on the staff network (10.1.0.77) trying to telnet to X.X.162.232 on port 80.

 

[andrewis]

You won't get a socket internally. Rather test from the outside.

 

[kr5]

Yeah it works fine from the outside, the trouble is I want the staff on the inside to be able to access it at both 10.3.0.232, and X.X.162.232. I think the DNS doctoring should work, I just don't have any dns server on the fake network yet.

 

[brianinms]

Yes, dns doctoring was where I was going with my post. However, if the host is going to be on the inside network and not the dmz then I would merely use the internal dns server to route them there instead of any doctoring.

 

[kr5]

Yeah, I was trying to avoid that, lots of webservers....but if that's what has to be done, that's what has to be done.