NAT and ASA5510

Discussion in 'Cisco' started by StefanoN@infotronics.com, May 18, 2006.

  1. Guest

    I'm setting up an ASA5510 with 1 public IP address on the outside
    interface.
    I've currently got all the internal hosts NATing out and I have several

    ports on the outside interface forwarding to specific hosts on the
    internal
    network. All this is working. What I'm now trying to do is allow an
    internal host to use one of the external IP addresses. Currently, it
    is not
    able to do so and I can't figure out why.

    Here's my current setup:

    External Interface:
    Assigned 200.10.10.1

    Internal Interface:
    Assigned 10.1.0.1

    Web server:
    Assigned 10.1.0.5


    I have a NAT pool consisting of the external interface IP (for use as
    PAT)
    I have a static PAT rule translating port 80 on 200.10.10.1 to port 80
    on
    10.1.0.5

    >From a machine on the external interface, I can browse the web server.
    >From the web server on the inside, I can get to anything on the

    external
    side.

    When I try to go to HTTP:\\200.10.10.1 from the web server on the
    internal
    network, the web page times out and the log on the ASA says that access
    was
    denied.

    Is what I'm trying to do possible? If so, what am I missing?
    , May 18, 2006
    #1
    1. Advertising

  2. In article <>,
    <> wrote:
    >I'm setting up an ASA5510


    >Here's my current setup:


    >External Interface:
    > Assigned 200.10.10.1


    >When I try to go to HTTP:\\200.10.10.1 from the web server on the
    >internal
    >network, the web page times out and the log on the ASA says that access
    >was denied.


    >Is what I'm trying to do possible?


    No.

    > If so, what am I missing?


    The ASA only allows packets to go into the ASA and back out the same
    logical interface in the case where at least one VPN tunnel is involved.

    If you need to be able to access the device by external IP *address*
    from inside, you will need to put it into a DMZ, or add more hardware.

    There are various solutions (some easy) if you can instead use host *name*
    instead of host *IP address*.
    Walter Roberson, May 18, 2006
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Nos

    ASA5510 and zyxel

    Nos, May 18, 2006, in forum: Cisco
    Replies:
    1
    Views:
    593
  2. DNS, NAT and ASA5510

    , May 22, 2006, in forum: Cisco
    Replies:
    0
    Views:
    876
  3. Replies:
    2
    Views:
    2,233
  4. Nos

    ASA5510 and DSL

    Nos, Jun 22, 2006, in forum: Cisco
    Replies:
    0
    Views:
    790
  5. Jim D.
    Replies:
    0
    Views:
    5,162
    Jim D.
    Jun 28, 2006
Loading...

Share This Page