How to access my own Public IP from inside Network

Unanswered Question
Mar 16th, 2007

Hi,

I am using ASA 5510 appliance in a test environment and noticed that from inside network I can ping most of the IPs on internet for example yahoo.ca

But I can NOT ping Public IP of my own servers which are statically natted on my ASA and trying to understand the process and if possible a workaround to achieve it.

currently ICMP is allowed any to any for this testing and the outbound traffic gets natted to outside interface of my ASA

Will appreciate any advice.

Thanks,

Sanjeev

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.

I've been trying to make this work and have had no luck. I've got a 515E running 7.0(2) and attempted to use this command to allow hosts on my 172.17.150.0/24 subnet to browse the website on 69.90.71.85 ;

static (outside,inside) 69.90.71.85 172.17.150.23 255.255.255.255

It simply will not seem to work. Can anyone lend some assistance?

spabbi100 Wed, 06/13/2007 - 11:08

Hi David,

Just saw your question in the middle of this thread which i initiated few months ago and finally the issue was resolved, so i thought if you are looking for the same solution,

as per your description 172.17.150.0/24 is your inside network and you are trying to have a static NAT translation 69.90.71.85 to 172.17.150.23 and also you want to browse the website on IP 69.90.71.85 .

I assume you are trying it from a machine on inside of your network, if thast case, then we are on the same page and here is how you will resolve this.

Required commands:

same-security-traffic permit intra-interface

static (inside,outside) 69.90.71.85 172.17.150.23 netmask 255.255.255.255

static (inside,inside) 69.90.71.85 172.17.150.23 netmask 255.255.255.255

static (inside,inside) 172.27.150.200 172.17.150.200 netmask 255.255.255.255

Explanation:

because request is initiated from inside the firewall so it hits the INSIDE interface then after the NAT translation Packets have to comeout of the same INSIDE interface towards your LAN, so first command allows packets to enter and leave from the same interface, its a global command.

Second command will allow you web Server with private IP as 172.17.150.23 to appears as Public IP 69.90.71.85 to oustside world ( Not inside users)

Assuming the Client on inside network with IP 172.17.150.200, when it try to access the web site by public IP 69.90.71.85 - Third command translates the Web Server Public IP to Private IP.

Fourth command does the source translation converting the original Client IP 172.17.250.200 to a fake non existing IP 172.27.250.200 ( This step is very important, because without this Web server will receive the incoming packet but for return traffic it will try to go to Client IP directly because its in the same subnet and it never recahes there as it bypasses Firewall) So in the Web server logs it will appear as if request has come from 172.27.150.200 NOT 172.17.150.200

Hope it helps .......

Sanjeev

abinjola Fri, 03/16/2007 - 10:36

from "inside" You can never ever ping public IPs used in static mapping...if thats what you are trying,untill you are U-Turing the traffic

can you tell us from where are you trying to ping those public Ips..?

spabbi100 Fri, 03/16/2007 - 10:51

OK, here is a bit more detailed description :

A very standard setup having an ASA 5510 firewall (Outside 66.48.x.x ; inside 10.10.40.5) behind that is a CSS 11503 Load Balancer (outside 10.10.40.3 ; inside 172.16.70.3), behind CSS there are bunch of Web servers (172.16.70.100, 101, 102) and a FTP server (172.16.70.200)

The Requirement is to allow FTP Server to access Web servers using Farm IP 10.10.40.254 and by default Load balancer does NOT entertain any request (for the farm its handling) which doesn't come through its outside interface (10.10.40.3). So i am trying to target Public IP of Server Farm so that from FTP server packets first crosses the CSS load balancer hit inside interface of ASA and then come back with different Source IP ( which is Static Public IP of FTP server) hit the outside interface of CSS and it process the request just as if for an Internet client.

Not sure if i explained that well, in the nut shell a server behind the load balancer is trying to access Load Balanced Farm IP to maintain redundancy for HTTP access.

Regards,

Sanjeev

abinjola Fri, 03/16/2007 - 11:18

Do you necessarily need 10.10.40.254 ip to access the webservers ? if not then you can use U turning feature of ASA

Static (inside,inside) 172.16.70.100

same-security-traffic permit

that means your FTP server would hit the request on ASA , the destined packet would be having destination of an virtual IP 10.10.1.1 (lets say), ASA would xlate it back to 172.16.70.100

does the CSS does NAT ?

abinjola Fri, 03/16/2007 - 11:20

is this the topology ?

66.48.x.x--ASA--10.10.40.5====.3CSS(load balancer)---172.16.70.3---| 172.16.70.100,101,102 |

|

|

172.16.70.200(ftp)

spabbi100 Fri, 03/16/2007 - 21:40

abinjola,

The FTP Server (172.16.70.200) is actually sitting in the same subnet as the Web Servers.

Thats where the the Problem lies .Otherwise for any client in a different subnet doing http access, targets Farm IP 10.10.40.254 ( or 66.48.x.x for Internet clients) packets hit CSS outside i/F and the Return Traffic also goes back THROUGH the Load Balancer so it works.

Load Balancer does not do any Natting, however when it receives a request if it is for one of its Farm IP (10.10.40.254) it does the load balancing and pass the request to member servers in that farm, if NOT then it simply act as a router and just pass the requests based on its routing table.

I tried the configuration you suggested using virtual IP of 10.10.60.254 But the Ping to 10.10.60.254 from a server 172.16.70.104 doesn't work and getting following error on ASA ASDM

3 Mar 17 2007 00:29:29 305006 10.10.60.254 portmap translation creation failed for icmp src inside:172.16.70.104 dst inside:10.10.60.254 (type 8, code 0)

in this case 172.16.70.104 was another FTP Server.

I also tried Alias and Bi-Directional NAT , other user suggested but that did not help either.

When i start PAcket Capture on inside of ASA I only see ICMP requests coming in for 10.10.60.254 but no reply packet.

Hope it helps for better understanding.

spabbi100 Sun, 03/18/2007 - 09:03

Hi abinjola,

OK It finally worked, your advice was really VERY helpful, I had to tweak it a little bit as below,

same-security-traffic permit intra-interface

static (inside,inside) 66.48.x.y 10.10.40.254 netmask 255.255.255.255

static (inside,inside) 66.48.x.z 172.16.70.104 netmask 255.255.255.255

explanation:

This way when the FTP server send http request to Public IP of Web Farm 66.48.x.y request goes through the CSS and hit inside interface of ASA, the ASA then does the Translation of destination from 66.48.x.y to 10.10.40.254 and also for the source IP from 172.16.70.104 to 66.48.x.z So now the Load balancer thinks the request has come from its outside interface from 66.48.x.z (I verified it from website log file) and the return traffic doesn't try to reach the FTP server through its inside interface rather it goes through css outside i/F and hits the ASA inside interface again , then ASA does the reverse Trasnalation and those packets are forwarded to 172.16.70.104 which again hits CSS outside interface and eventually reaches FTP Server.

I thought I must provide update before closing this thread, if it helps anybody else.

This workaround i achieved through ASA would be much better if somehow i can restrict myself just to Load Balancer itself, I will keep looking for that.

Regards,

Sanjeev

astripat Tue, 03/20/2007 - 13:12

yes you wont be able to ping,until U turning is enabled.

Actions

This Discussion