Accessing External NAT IPs on a Cisco ASA

The Cisco ASA has always had a limitation that you can't access the External IPs that a NATd by the ASA from the Inside interface - here's how to get round it.

In the diagram, you can see we have a Smartphone which needs to access services from the Server.

We can't guarantee how the smartphone will be connecting, it may be through the office WIFI or the Internet.

The smartphone is set up to use the DNS name of the server - which points to the external IP - whichever network it is on.

To enable this we need to do a couple of things.

First we need to add the inside interface to a new PAT pool:

global (inside) 10 interface

Then you need to add an inside-inside static statement

static (inside,outside) x.x.x.99 z.z.z.99 netmask 255.255.255.255

And that's it!

I hope this article helps you out, please click on an advert to show your appreciation.

Finding who's using your bandwidth on Cisco ASA

Until recently the Cisco ASA had a Top Talkers facility which shows you who is using up your bandwidth.

Now that's no longer available, one quick(ish) and easy(ish) way is to:

Connect to the ASA with Putty and capture the output of "show conn" to a CSV file.

Then edit the file with a text editor (I suggest Notepad++) and replace " bytes " with ""

Save the file, then open it up in Excel and you can sort by size and work out who's using what...