Question : From inside network, connect to inside host using public outside IP

This isn't exactly a hairpinning question like it sounds.  I have a Cisco ASA 5510 running firmware version 8.2(1) with 2 interfaces named "inside" and "guest", plus an outside interface going to the internet via our ISP's router.  What i can't seem to figure out is how I can allow a host on the "guest" network to connect to a host on the "inside" network using that "inside" network host's public nat'd ip address.  

For example, lets say I want host 192.168.4.4 to be able to connect to 192.168.3.123 using the IP 1.1.1.4.

I thought adding these two lines would work:
static (inside,guest) 1.1.1.4 192.168.3.123 netmask 255.255.255.255
access-list guest_in line 1 extended permit tcp 192.168.4.0 255.255.255.0 host 1.1.1.4 eq www

The ASA seems to be dropping the traffic even with those lines added to the configuration.  What am I missing?

Thanks
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:
45:
46:
interface Ethernet0/0
 nameif inside
 security-level 100
 ip address 192.168.3.1 255.255.255.0 

interface Ethernet0/1
 nameif outside
 security-level 0
 ip address 1.1.1.2 255.255.255.0

interface Ethernet0/2
 nameif guest
 security-level 50
 ip address 192.168.4.1 255.255.255.0 

access-list inside_in extended permit ip any any 

access-list outside_in extended permit tcp any host 1.1.1.4 eq www

access-list guest_in extended permit tcp 192.168.4.0 255.255.255.0 host 192.168.3.123 eq www
access-list guest_in extended deny ip 192.168.4.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list guest_in extended permit ip 192.168.4.0 255.255.255.0 any

access-list no_nat_inside extended permit ip 192.168.3.0 255.255.255.0 192.168.4.0 255.255.255.0 
access-list no_nat_guest extended permit ip 192.168.4.0 255.255.255.0 192.168.3.0 255.255.255.0 

nat-control

global (outside) 1 1.1.1.3
global (inside) 1 interface

nat (inside) 0 access-list no_nat_inside
nat (inside) 1 192.168.3.0 255.255.255.0

nat (guest) 0 access-list no_nat_guest
nat (guest) 1 192.168.4.0 255.255.255.0

static (inside,outside) 1.1.1.4 192.168.3.123 netmask 255.255.255.255
static (inside,inside) 1.1.1.4 192.168.3.123 netmask 255.255.255.255

same-security-traffic permit intra-interface

access-group inside_in in interface inside
access-group outside_in in interface outside
access-group guest_in in interface guest
route outside 0.0.0.0 0.0.0.0 1.1.1.1 1

Answer : From inside network, connect to inside host using public outside IP

What comes up on your monitoring?

If your not using the ASDM I'd start that up, would make it alot easier

I know in my ASA I would enter in

Static (inside, guest) 192.168.3.? 192.168.4.4 netmask 255.255.255.255 tcp 0 0 udp 0
But thats not the exact commend your going to want to enter, obviously make your changes.

I'm thinking your problem isn't so much the NAT as it is confusing to the ASA. In a sense your telling the ASA Not to NAT the addresses (IE the No Nat) but you want to use the 1.1.1.4 to access the inside (but thats not on the same subnet so it will not work) not to mention the ASA understands that subnet as being a subnet for the outside. I'm thinking the ASA doesn't know what to do with it. Try using an address within the subnet to access the inside interface (IE 192.168.3.1)
Random Solutions  
 
programming4us programming4us