[fw-wiz] ASA NAT makes real address inaccessible?

Greetings all,

I have an issue with NAT on a Cisco ASA 5520 running ASA software version
7.0(2) and being configured/managed via ASDM...

There are four interfaces relevant to this problem:

Internet -- -- New-DMZ
\ _________ /
| |
| ASA |
/ \
Internal -- -- Old-DMZ

We relocated a WWW proxy (squid on Linux) from the Old-DMZ to the
New-DMZ, and it tested OK from an internal workstation (call it WS-A)
configured with the new proxy address.

In order to smooth the migration, we added a nat rule on the Internal
interface to translate the proxy's old address to its new address. That
tested OK from an internal workstation (call it WS-B) configured with
the old proxy address.

But... after adding that NAT rule, WS-A (still configured with the new
proxy address) is unable to connect to the proxy - it seems that
configuring the NAT rule has made the real address inaccessible {:-(

I can think of a couple of different workarounds, involving having the
proxy listen on an additional-IP address and/or TCP-port), but these
seem like unnecessary hacks to work around a hopefully simple problem.

Any suggestions on how to solve this in the ASA config?


firewall-wizards mailing list

Relevant Pages