Hey all. New to MIAB and I’ve been working with my hosting provider on configuration of their Cisco firewall. It’s taken a bit but I have a working config that hopefully those with similar circumstances could benefit from. The assumption of MIAB is that it can reference itself via its Internet facing IP address. In the stock Cisco nat that does not work, so a technique called “NAT Reflection” or “Hair-pinning” needs to be done.
First define three network objects like so:
object network Box
host PRIVATE_IP
object network Box_Outside
host PUBLIC_IP
object network Box_Reflect
host PRIVATE_IP
Then setup the NAT configurations
object network Box
nat (Inside,Outside) static Box_Outside
object network Box_Reflect
nat (Inside,Inside) static Box_Outside
Then create a rule to allow for Outside traffic to come in:
object-group service MIAB_Ports
service-object tcp destination eq ssh
service-object tcp destination eq smtp
service-object tcp destination eq domain
service-object tcp destination eq www
service-object tcp destination eq https
service-object tcp destination eq 465
service-object tcp destination eq 993
service-object tcp destination eq 995
service-object tcp destination eq 4190
service-object udp destination eq domain
service-object tcp destination eq 587
access-list Outside_in extended permit object-group MIAB_Ports any4 object Box
At this point your MIAB system will start passing system checks. Hopefully this helps someone along to success.