Internet access from host in the DMZ

Hi guys,

I have NAT 1:1 set up for a host in the DMZ. Also, access lists to allow a couple of ports from the internet and to the internal network, which is working just fine.

I can’t manage to allow this host in the DMZ to access the internet.

Partial config below:

object network DMZ-HOST01
 host XXX.XXX.XXX.XXX
object network DMZ-HOST01_Public_IP
 host YYY.YYY.YYY.YYY
 
object network INTERNAL-HOST01
 host ZZZ.ZZZ.ZZZ.ZZZ

nat (dmz,outside) after-auto source static DMZ-HOST01 DMZ-HOST01_Public_IP dns
access-list outside_access_in extended permit tcp any object DMZ-HOST01 eq 9443
access-list dmz_access_inside extended permit tcp object DMZ-HOST01 object INTERNAL-HOST01 eq 6110

access-group outside_access_in in interface outside
access-group dmz_access_inside in interface dmz

This ASA also provides internet access to the entire network.

Any thoughts?

Hello Vianney

At first glance, your configuration looks good except for the after-auto keyword used in the nat command. Is there a particular reason you have that employed? This keyword will cause the NAT rule to be executed towards the end of the NAT order of operations, where Twice NAT would be applied. Take a look at this Cisco documentation where it says:

By default, the NAT rule is added to the end of section 1 of the NAT table. See the “NAT Rule Order” section for more information about sections. If you want to add the rule into section 3 instead (after the network object NAT rules), then use the after-auto keyword. You can insert a rule anywhere in the applicable section using the line argument.

The NAT Rule Table is a construct that shows the order of operations when Twice NAT is used. More info can be found here:

I don’t believe you are using Twice NAT here since you are not specifying a translation for the destination, so I suggest you remove this keyword and see what happens… Then we can continue troubleshooting other issues… Let us know how you get along!

I hope this has been helpful!

Laz