We are using a 5505 ASA Sec+ (8.2). There are three interfaces: inside (172.17.0.0/24), dmz (172.16.0.0/24) and outside (1.2.3.4 for the example).
There are static NAT rules set up translating 1.2.3.4 to servers on the dmz (including 1.2.3.4:80 to 172.16.0.10:80). These work from the outside.
How do I let users on the inside access the DMZ servers using the outside IP in the same way as users on the outside?
Because we are using port address translation (several different servers depending on the port number), I want to avoid DNS doctoring.
It does not matter whether we use NAT or not for direct inside-dmz traffic (most traffic will be through the public IP anyway).
The current NAT configuration:
ASA Version 8.2(5)
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
global (outside) 1 interface
global (dmz) 2 interface
nat (inside) 1 172.17.0.0 255.255.255.0
nat (dmz) 1 172.16.0.0 255.255.255.0
static (dmz,outside) tcp interface www 172.16.0.10 www netmask 255.255.255.255
static (dmz,outside) tcp interface https 172.16.0.10 https netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
access-group dmz_access_in in interface dmz
With this minimal configuration, the inside users cannot access the dmz servers at all. Both inside users and dmz servers can access the internet outside just fine, and the dmz servers are accessible from the internet.
I have done this on 8.3+ but I'm a little fuzzy on how we used to do it on 8.2.
I believe it was something like this:
or with an ACL:
If that doesn't work I know the following works for 8.3+ so might help you in some way
Now I'm sure I screwed up some part of that so somebody let me know.