How do I reach my internal server on the external IP?

domain-name-system cisco cisco-asa

The ASA firewall can not route traffic. You need to masq the inside address against the external address.

Solution 1: DNS doctoring with static NAT

Let's say your external website IP address is 1.2.3.4, wich then again is port-forwarded (or directly NAT'ed) to the internal IP address 192.168.0.10. With DNS doctoring, the following will happen:

  1. The client on the inside requests http://www.companyweb.com, wich originally translates to 1.2.3.4
  2. The ASA intercepts the DNS reply packet, and replaces the A-record with 192.168.0.10
  3. The client gets very happy, as it now can open up the company web site :-)

For more detailed info on how you enable this: http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968d1.shtml

Solution 2: Internal DNS server

This one is useful if you only have one external IP, and you port-forward this IP to many internal services on different servers (Let's say port 80 and 443 goes to 192.168.0.10, port 25 goes to 192.168.0.11 etc).

It requires no configuration change on the ASA, but it will require you to duplicate your external domain on a internal DNS server (Active Directory has this built in). You just create the exact same records as you have now, only with internal IP's on the services you have internally.

"Solution" 3: DMZ interface with public IP's

I'm not going to get into much details on this one, as it requires you to get a subnet of IP adresses from your ISP routed to your ASA. It's very hard these days with the IPv4 starvation.


As other similar questions are being marked as duplicates with a reference to here, I wish to complement the excellent answer by @pauska with a 4th option.

Solution 4: Routing the traffic through NAT Hairpinning

Allowing traffic back through an interface on a Cisco PIX/ASA appliance, such as when a nat:ed client accesses a nat:ed server through its public ip is called NAT Hairpinning by Cisco.

It uses essentially the same configuration parameters as usual for nat and port forwarding, but with the addition of this command:

same-security-traffic permit intra-interface

and a second static mapping for inside-to-inside traffic to the server:

static(inside,inside) i.i.i.i x.x.x.x

This is described in detail complete with a configuration example here for a two-interface design: http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968d1.shtml#solution2

And here is a Destination NAT alternative for a three-interface design: http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968c8.shtml#solution2

Related

How can I clear cached domain credentials?
Prevent VRRP Master from becoming Master once it has failed
Does OpenSSH SFTP server use umask or preserve client side permissions after put command (chrooted environment)?
Nginx + php5-fpm = "File not found"
What ways there are to backup repositories for Windows VisualSVN?
nginx case insensitive rewrite
How to create Active Directory user account with powershell
How to convince a big boss that he does not need administrator privileges?
How to identify who/what uses a Windows 2003 server?
How do I destroy a hard disk?
Free automatic deployment systems?
How to do traffic shaping (rate limiting) with TC per OpenVPN client