×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

How to access my own Public IP from inside Network

Unanswered Question
Mar 16th, 2007
User Badges:

Hi,


I am using ASA 5510 appliance in a test environment and noticed that from inside network I can ping most of the IPs on internet for example yahoo.ca


But I can NOT ping Public IP of my own servers which are statically natted on my ASA and trying to understand the process and if possible a workaround to achieve it.


currently ICMP is allowed any to any for this testing and the outbound traffic gets natted to outside interface of my ASA


Will appreciate any advice.


Thanks,

Sanjeev

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.

I've been trying to make this work and have had no luck. I've got a 515E running 7.0(2) and attempted to use this command to allow hosts on my 172.17.150.0/24 subnet to browse the website on 69.90.71.85 ;


static (outside,inside) 69.90.71.85 172.17.150.23 255.255.255.255


It simply will not seem to work. Can anyone lend some assistance?

spabbi100 Wed, 06/13/2007 - 11:08
User Badges:

Hi David,

Just saw your question in the middle of this thread which i initiated few months ago and finally the issue was resolved, so i thought if you are looking for the same solution,


as per your description 172.17.150.0/24 is your inside network and you are trying to have a static NAT translation 69.90.71.85 to 172.17.150.23 and also you want to browse the website on IP 69.90.71.85 .


I assume you are trying it from a machine on inside of your network, if thast case, then we are on the same page and here is how you will resolve this.


Required commands:


same-security-traffic permit intra-interface

static (inside,outside) 69.90.71.85 172.17.150.23 netmask 255.255.255.255

static (inside,inside) 69.90.71.85 172.17.150.23 netmask 255.255.255.255

static (inside,inside) 172.27.150.200 172.17.150.200 netmask 255.255.255.255


Explanation:

because request is initiated from inside the firewall so it hits the INSIDE interface then after the NAT translation Packets have to comeout of the same INSIDE interface towards your LAN, so first command allows packets to enter and leave from the same interface, its a global command.


Second command will allow you web Server with private IP as 172.17.150.23 to appears as Public IP 69.90.71.85 to oustside world ( Not inside users)


Assuming the Client on inside network with IP 172.17.150.200, when it try to access the web site by public IP 69.90.71.85 - Third command translates the Web Server Public IP to Private IP.


Fourth command does the source translation converting the original Client IP 172.17.250.200 to a fake non existing IP 172.27.250.200 ( This step is very important, because without this Web server will receive the incoming packet but for return traffic it will try to go to Client IP directly because its in the same subnet and it never recahes there as it bypasses Firewall) So in the Web server logs it will appear as if request has come from 172.27.150.200 NOT 172.17.150.200


Hope it helps .......


Sanjeev

abinjola Fri, 03/16/2007 - 10:36
User Badges:
  • Cisco Employee,

from "inside" You can never ever ping public IPs used in static mapping...if thats what you are trying,untill you are U-Turing the traffic


can you tell us from where are you trying to ping those public Ips..?

spabbi100 Fri, 03/16/2007 - 10:51
User Badges:

OK, here is a bit more detailed description :


A very standard setup having an ASA 5510 firewall (Outside 66.48.x.x ; inside 10.10.40.5) behind that is a CSS 11503 Load Balancer (outside 10.10.40.3 ; inside 172.16.70.3), behind CSS there are bunch of Web servers (172.16.70.100, 101, 102) and a FTP server (172.16.70.200)


The Requirement is to allow FTP Server to access Web servers using Farm IP 10.10.40.254 and by default Load balancer does NOT entertain any request (for the farm its handling) which doesn't come through its outside interface (10.10.40.3). So i am trying to target Public IP of Server Farm so that from FTP server packets first crosses the CSS load balancer hit inside interface of ASA and then come back with different Source IP ( which is Static Public IP of FTP server) hit the outside interface of CSS and it process the request just as if for an Internet client.


Not sure if i explained that well, in the nut shell a server behind the load balancer is trying to access Load Balanced Farm IP to maintain redundancy for HTTP access.


Regards,

Sanjeev


abinjola Fri, 03/16/2007 - 11:18
User Badges:
  • Cisco Employee,

Do you necessarily need 10.10.40.254 ip to access the webservers ? if not then you can use U turning feature of ASA


Static (inside,inside) 172.16.70.100


same-security-traffic permit


that means your FTP server would hit the request on ASA , the destined packet would be having destination of an virtual IP 10.10.1.1 (lets say), ASA would xlate it back to 172.16.70.100


does the CSS does NAT ?



abinjola Fri, 03/16/2007 - 11:20
User Badges:
  • Cisco Employee,

is this the topology ?


66.48.x.x--ASA--10.10.40.5====.3CSS(load balancer)---172.16.70.3---| 172.16.70.100,101,102 |


|

|

172.16.70.200(ftp)

spabbi100 Fri, 03/16/2007 - 21:40
User Badges:

abinjola,


The FTP Server (172.16.70.200) is actually sitting in the same subnet as the Web Servers.


Thats where the the Problem lies .Otherwise for any client in a different subnet doing http access, targets Farm IP 10.10.40.254 ( or 66.48.x.x for Internet clients) packets hit CSS outside i/F and the Return Traffic also goes back THROUGH the Load Balancer so it works.


Load Balancer does not do any Natting, however when it receives a request if it is for one of its Farm IP (10.10.40.254) it does the load balancing and pass the request to member servers in that farm, if NOT then it simply act as a router and just pass the requests based on its routing table.


I tried the configuration you suggested using virtual IP of 10.10.60.254 But the Ping to 10.10.60.254 from a server 172.16.70.104 doesn't work and getting following error on ASA ASDM


3 Mar 17 2007 00:29:29 305006 10.10.60.254 portmap translation creation failed for icmp src inside:172.16.70.104 dst inside:10.10.60.254 (type 8, code 0)


in this case 172.16.70.104 was another FTP Server.


I also tried Alias and Bi-Directional NAT , other user suggested but that did not help either.


When i start PAcket Capture on inside of ASA I only see ICMP requests coming in for 10.10.60.254 but no reply packet.


Hope it helps for better understanding.

spabbi100 Sun, 03/18/2007 - 09:03
User Badges:

Hi abinjola,


OK It finally worked, your advice was really VERY helpful, I had to tweak it a little bit as below,


same-security-traffic permit intra-interface

static (inside,inside) 66.48.x.y 10.10.40.254 netmask 255.255.255.255

static (inside,inside) 66.48.x.z 172.16.70.104 netmask 255.255.255.255


explanation:

This way when the FTP server send http request to Public IP of Web Farm 66.48.x.y request goes through the CSS and hit inside interface of ASA, the ASA then does the Translation of destination from 66.48.x.y to 10.10.40.254 and also for the source IP from 172.16.70.104 to 66.48.x.z So now the Load balancer thinks the request has come from its outside interface from 66.48.x.z (I verified it from website log file) and the return traffic doesn't try to reach the FTP server through its inside interface rather it goes through css outside i/F and hits the ASA inside interface again , then ASA does the reverse Trasnalation and those packets are forwarded to 172.16.70.104 which again hits CSS outside interface and eventually reaches FTP Server.


I thought I must provide update before closing this thread, if it helps anybody else.


This workaround i achieved through ASA would be much better if somehow i can restrict myself just to Load Balancer itself, I will keep looking for that.


Regards,

Sanjeev

abinjola Mon, 03/19/2007 - 09:18
User Badges:
  • Cisco Employee,

i am glad I was able to help you..:-)

astripat Tue, 03/20/2007 - 13:12
User Badges:

yes you wont be able to ping,until U turning is enabled.

Actions

This Discussion