Home page logo

firewall-wizards logo Firewall Wizards mailing list archives

ASA NAT makes real address inaccessible?
From: Neale Banks <neale () lowendale com au>
Date: Thu, 6 Jul 2006 20:06:26 +1000 (EST)

Greetings all,

I have an issue with NAT on a Cisco ASA 5520 running ASA software version
7.0(2) and being configured/managed via ASDM...

There are four interfaces relevant to this problem:

Internet --             -- New-DMZ
           \ _________ /
            |         |
            |   ASA   |
           /           \
Internal --             -- Old-DMZ

We relocated a WWW proxy (squid on Linux) from the Old-DMZ to the
New-DMZ, and it tested OK from an internal workstation (call it WS-A)
configured with the new proxy address.

In order to smooth the migration, we added a nat rule on the Internal
interface to translate the proxy's old address to its new address.  That
tested OK from an internal workstation (call it WS-B) configured with
the old proxy address.

But... after adding that NAT rule, WS-A (still configured with the new
proxy address) is unable to connect to the proxy - it seems that
configuring the NAT rule has made the real address inaccessible  {:-(

I can think of a couple of different workarounds, involving having the
proxy listen on an additional-IP address and/or TCP-port), but these
seem like unnecessary hacks to work around a hopefully simple problem.

Any suggestions on how to solve this in the ASA config?


firewall-wizards mailing list
firewall-wizards () listserv icsalabs com

  By Date           By Thread  

Current thread:
  • ASA NAT makes real address inaccessible? Neale Banks (Jul 09)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]