Webserver behind ASA 5505

Unanswered Question
Jul 9th, 2007

I have an ASA 5505 at home and I am currently staticly NATing my internal resources to the outside world successfuly. My only problem is that when I try to access my internal resources by name from the inside, they resolve to the IP of my external interface and I am unable to access them.

I know the simple solution would be to make a host file entry or modify my DNS, but I am unwilling to let the ASA beat me.

I assume I need some sort of ACL to stop NATing or some sort of NAT exemption, but am unsure of what to do. Can anyone help me?

Thanks,

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
acomiskey Mon, 07/09/2007 - 06:20

You need either dns doctoring or hairpinning.

Here is the link which explains both. DNS doctoring will actually change the resolved ip address in the ASA to the inside address. Hairpinning will allow you to request the public address and allow you to bounce off the inside interface of the ASA.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968d1.shtml

Please rate helpful posts.

enkrypter Mon, 07/09/2007 - 09:09

Here is what I have configured and it is not working. The haripin example you sent me only shows how to do static nat not pat.

same-security-traffic permit intra-interface

access-list inbound extended permit tcp any interface outside eq ftp

access-list inbound extended permit tcp any interface outside eq www

access-list inbound extended permit tcp any interface outside eq ftp-data

access-list inbound extended permit udp any interface outside eq tftp

access-list inbound extended permit tcp any interface outside eq 3389

access-list inbound extended permit icmp any interface outside

access-list inbound extended deny tcp any interface outside eq smtp log

access-list inbound extended permit tcp any interface outside eq 6129

access-list inbound extended permit tcp any interface outside eq 5900

access-list inbound extended permit udp any interface outside eq 5900

access-list inside_nat0_outbound extended permit ip any interface outside

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

ip local pool VPN-Pool 192.168.1.130-192.168.1.135 mask 255.255.255.0

ip verify reverse-path interface outside

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-522.bin

no asdm history enable

arp timeout 14400

global (inside) 1 interface

global (outside) 1 interface

nat (inside) 1 192.168.1.0 255.255.255.0

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp interface 3389 192.168.1.16 3389 netmask 255.255.255.255

static (inside,outside) udp interface tftp 192.168.1.16 tftp netmask 255.255.255.255

static (inside,outside) tcp interface ftp 192.168.1.16 ftp netmask 255.255.255.255

static (inside,outside) tcp interface 5900 192.168.1.16 5900 netmask 255.255.255.255

static (inside,outside) udp interface 5900 192.168.1.16 5900 netmask 255.255.255.255

static (inside,outside) tcp interface www 192.168.1.5 www netmask 255.255.255.255

static (inside,inside) tcp interface 3389 192.168.1.16 3389 netmask 255.255.255.255

static (inside,inside) udp interface tftp 192.168.1.16 tftp netmask 255.255.255.255

static (inside,inside) tcp interface ftp 192.168.1.16 ftp netmask 255.255.255.255

static (inside,inside) tcp interface 5900 192.168.1.16 5900 netmask 255.255.255.255

static (inside,inside) udp interface 5900 192.168.1.16 5900 netmask 255.255.255.255

static (inside,inside) tcp interface www 192.168.1.5 www netmask 255.255.255.255

access-group inbound in interface outside

acomiskey Mon, 07/09/2007 - 09:31

Sorry, I don't think either work with pat. I've never tried to hairpin with pat but if it would work it would probably look more like this...

static (inside,inside) tcp 3389 192.168.1.16 3389 netmask 255.255.255.255

enkrypter Mon, 07/09/2007 - 09:46

I agree, but the problem is the outside IP is dynamic and when the IP changed the whole config would too.. Sounds like a limitation on Cisco's part if you as me.

Funny how a $50.00 linksys can overcome this problem, but not an ASA...

Thanks for the advice!

Actions

This Discussion