The Problem:
I recently had a situation where hosts on my internal LAN needed to communicate with a servers on our DMZ using its public IP address instead of its private address.
In my case this was causing issues with one way communication on out Mitel Teleworker / Mitel Border Gateway solution. When phoning an internal phone from a Mitel phone on the Internal the conversation was one way.
i found after some packet tracing this was because when the phone on the internal network sent its traffic, it was sending it to the public IP address of the Mitel Teleworker / Mitel Border Gateway server in the DMZ rather than the servers private DMZ address.
The packets where being sent to the outside world and where being lost.
My Configuration:
I am using a Cisco ASA with three active interfaces one is connected to the internal LAN (Core), one is connected to our DMZ and the final is connect to the outside world
Solution ASA with a version above 8.3
If you are a version higher than 7.0 then use “Outside Nat”
This nats clients on the inside interface accessing the server using its public IP to the server private IP
ASDM:
Solution: ASA with version below 8.3
If you are a version higher than 7.0 then use “Outside Nat”
This nats clients on the inside interface accessing the server using its public IP to the server private IP
Console:
1) Enter global config mode on the ASA
2) Enter the command
STATIC (dmz,inside) xx.xx.xx.xx ii.ii.ii.ii netmask 255.255.255.255
Where;
xx.xx.xx.xx is the PUBLIC address
ii.ii.ii.ii is the internal address on the DMZ
ASDM:
If you prefer to use ASDM then create a static NAT rule on your DMZ interface that looks like the below
Solution: PIX with a version earlier than version 7.0
If you are using PIX earlier than version 7.0 then use the ALIAS command to perform dnat
Console:
1) Enter global config mode on the PIX
2) Enter the command
ALIAS (inside) xx.xx.xx.xx ii.ii.ii.ii 255.255.255.255
Where;
xx.xx.xx.xx is the EXTERNAL address
ii.ii.ii.ii is the address on the DMZ
After version 7.0 the ALIAS command was depreciated – while it still works OK in Version 7.0, Cisco ASDM doesn`t support the ALIAS command in new versions.