ASA NAT makes real address inaccessible?

[Neale Banks <neale () lowendale com au>]

Greetings all,

I have an issue with NAT on a Cisco ASA 5520 running ASA software version
7.0(2) and being configured/managed via ASDM...

There are four interfaces relevant to this problem:

Internet --             -- New-DMZ
           \ _________ /
            |         |
            |   ASA   |
            |_________|
           /           \
Internal --             -- Old-DMZ

We relocated a WWW proxy (squid on Linux) from the Old-DMZ to the
New-DMZ, and it tested OK from an internal workstation (call it WS-A)
configured with the new proxy address.

In order to smooth the migration, we added a nat rule on the Internal
interface to translate the proxy's old address to its new address.  That
tested OK from an internal workstation (call it WS-B) configured with
the old proxy address.

But... after adding that NAT rule, WS-A (still configured with the new
proxy address) is unable to connect to the proxy - it seems that
configuring the NAT rule has made the real address inaccessible  {:-(

I can think of a couple of different workarounds, involving having the
proxy listen on an additional-IP address and/or TCP-port), but these
seem like unnecessary hacks to work around a hopefully simple problem.

Any suggestions on how to solve this in the ASA config?

Thanks,
Neale.

_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards