out and back in

Discussion in 'Cisco' started by P1, Jun 1, 2009.

  1. P1

    P1 Guest

    I've seen this work on other ASAs that I don't administer so I know it
    can be done, but haven't been able to figure it out on my own network.
    Connecting to inside hosts from other inside hosts by using those hosts'
    static public IPs.

    For example:

    static (inside,outside) 123.123.123.1 172.16.10.1 netmask 255.255.255.255
    static (inside,outside) 123.123.123.2 172.16.10.2 netmask 255.255.255.255

    Connecting from host1 (172.16.10.1) to 123.123.123.2 doesn't work, but I
    would like it to connect to hosts2 at 172.16.10.2

    I would like to do this so I don't have to add a bunch of entries into
    the hosts file or set up my own DNS just to manage those zones.

    Thanks,
    Paul
    P1, Jun 1, 2009
    #1
    1. Advertising

  2. P1

    P1 Guest

    Artie Lange wrote:
    > Artie Lange wrote:
    >> P1 wrote:
    >>> I've seen this work on other ASAs that I don't administer so I know
    >>> it can be done, but haven't been able to figure it out on my own
    >>> network. Connecting to inside hosts from other inside hosts by using
    >>> those hosts' static public IPs.
    >>>
    >>> For example:
    >>>
    >>> static (inside,outside) 123.123.123.1 172.16.10.1 netmask
    >>> 255.255.255.255
    >>> static (inside,outside) 123.123.123.2 172.16.10.2 netmask
    >>> 255.255.255.255
    >>>
    >>> Connecting from host1 (172.16.10.1) to 123.123.123.2 doesn't work,
    >>> but I would like it to connect to hosts2 at 172.16.10.2
    >>>
    >>> I would like to do this so I don't have to add a bunch of entries
    >>> into the hosts file or set up my own DNS just to manage those zones.
    >>>
    >>> Thanks,
    >>> Paul

    >>
    >> Google DNS doctoring.
    >>
    >> http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968c8.shtml
    >>

    >
    > However you still need an internal DNS server.


    Good document, thanks! I think the solution I was looking for is in the
    same doc, but presented as - Alternative Solution: Destination NAT
    I will try this out.

    Btw, the first solution (DNS Doctoring) does not require an internal DNS
    server. The exact purpose of this solution is for situation where there
    isn't one. If there was one, the zones can be altered internally.
    P1, Jun 1, 2009
    #2
    1. Advertising

  3. P1

    P1 Guest

    P1 wrote:
    > Artie Lange wrote:
    >> Artie Lange wrote:
    >>> P1 wrote:
    >>>> I've seen this work on other ASAs that I don't administer so I know
    >>>> it can be done, but haven't been able to figure it out on my own
    >>>> network. Connecting to inside hosts from other inside hosts by using
    >>>> those hosts' static public IPs.
    >>>>
    >>>> For example:
    >>>>
    >>>> static (inside,outside) 123.123.123.1 172.16.10.1 netmask
    >>>> 255.255.255.255
    >>>> static (inside,outside) 123.123.123.2 172.16.10.2 netmask
    >>>> 255.255.255.255
    >>>>
    >>>> Connecting from host1 (172.16.10.1) to 123.123.123.2 doesn't work,
    >>>> but I would like it to connect to hosts2 at 172.16.10.2
    >>>>
    >>>> I would like to do this so I don't have to add a bunch of entries
    >>>> into the hosts file or set up my own DNS just to manage those zones.
    >>>>
    >>>> Thanks,
    >>>> Paul
    >>>
    >>> Google DNS doctoring.
    >>>
    >>> http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968c8.shtml
    >>>

    >>
    >> However you still need an internal DNS server.

    >
    > Good document, thanks! I think the solution I was looking for is in the
    > same doc, but presented as - Alternative Solution: Destination NAT
    > I will try this out.
    >
    > Btw, the first solution (DNS Doctoring) does not require an internal DNS
    > server. The exact purpose of this solution is for situation where there
    > isn't one. If there was one, the zones can be altered internally.


    For the benefit of future searchers...

    The Destination NAT solution works fine between subnets (I have multiple
    DMZs). For the same result within the same subnet, however, another
    solution must be used. It's called Hairpinning and is described here:
    http://www.cisco.com/en/US/products...ation_example09186a00807968d1.shtml#solution2
    Make sure to read the caution caveat described at the top of the section
    before implementing this solution. This will basically allow you to
    connect to the public IPs of hosts on the same subnet as you.
    P1, Jun 1, 2009
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. pandula
    Replies:
    1
    Views:
    4,313
    Luc D.B.
    Jul 10, 2003
  2. Fiber Optic

    back-to-back with ISDN

    Fiber Optic, Jul 22, 2003, in forum: Cisco
    Replies:
    8
    Views:
    7,457
    Tilman Schmidt
    Jul 25, 2003
  3. Dejan Gambin
    Replies:
    0
    Views:
    749
    Dejan Gambin
    Oct 16, 2003
  4. Rich
    Replies:
    8
    Views:
    2,699
  5. barrett bonden
    Replies:
    1
    Views:
    387
    Doug McIntyre
    Apr 3, 2005
Loading...

Share This Page