P1 wrote:
> Artie Lange wrote:
>> Artie Lange wrote:
>>> P1 wrote:
>>>> I've seen this work on other ASAs that I don't administer so I know
>>>> it can be done, but haven't been able to figure it out on my own
>>>> network. Connecting to inside hosts from other inside hosts by using
>>>> those hosts' static public IPs.
>>>>
>>>> For example:
>>>>
>>>> static (inside,outside) 123.123.123.1 172.16.10.1 netmask
>>>> 255.255.255.255
>>>> static (inside,outside) 123.123.123.2 172.16.10.2 netmask
>>>> 255.255.255.255
>>>>
>>>> Connecting from host1 (172.16.10.1) to 123.123.123.2 doesn't work,
>>>> but I would like it to connect to hosts2 at 172.16.10.2
>>>>
>>>> I would like to do this so I don't have to add a bunch of entries
>>>> into the hosts file or set up my own DNS just to manage those zones.
>>>>
>>>> Thanks,
>>>> Paul
>>>
>>> Google DNS doctoring.
>>>
>>> http://www.cisco.com/en/US/products/...807968c8.shtml
>>>
>>
>> However you still need an internal DNS server.
>
> Good document, thanks! I think the solution I was looking for is in the
> same doc, but presented as - Alternative Solution: Destination NAT
> I will try this out.
>
> Btw, the first solution (DNS Doctoring) does not require an internal DNS
> server. The exact purpose of this solution is for situation where there
> isn't one. If there was one, the zones can be altered internally.
For the benefit of future searchers...
The Destination NAT solution works fine between subnets (I have multiple
DMZs). For the same result within the same subnet, however, another
solution must be used. It's called Hairpinning and is described here:
http://www.cisco.com/en/US/products/...html#solution2
Make sure to read the caution caveat described at the top of the section
before implementing this solution. This will basically allow you to
connect to the public IPs of hosts on the same subnet as you.
Similar Threads
