09-14-2007 12:02 PM - edited 03-05-2019 06:29 PM
Hi,
I'm having issues getting the correct rule that allow all of my 192.168.1.0/24 (inside) machines to access services like http/smtp that are being exposed to the outside via PAT.
Indeed I can access everything from outside the network but from within my own network I can't access those services.
Appreciate any help!
Example:
61.21.1.1 (outside IP)
192.168.1.10 (inside IP)
192.168.1.10 access denied to 61.21.1.1
:(
09-14-2007 12:21 PM
I'm not sure I understand. Is this on a router or a PIX? What ip nat commands do you have in place? Could you post your config please? Then we might be able to identify the problem.
Kevin Dorrell
Luxembourg
09-14-2007 12:34 PM
Sorry for the lack of details: Here's the running-config:
Basically, I have a host behind the ASA device that I use to get email from my own mail server which is on the inside but I use the fqdn so the request has to go out of the firewall and then back in, but apparently that's not allowed because I'm getting denied packets in my logger for the ASA. I'm sure I've spaced some access rule and when I try to create any I can't seem to get the parameters right. Thanks!
Result of the command: "show running-config"
: Saved
:
ASA Version 7.2(2)
!
names
name 192.168.1.20 master
name 192.168.1.10 mail
name 192.168.1.3 host1
name 17.17.17.1 PublicIP
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
ospf cost 10
!
interface Vlan2
nameif outside
security-level 0
ip address PublicIP 255.255.255.248
ospf cost 10
!
interface Vlan3
no forward interface Vlan1
nameif dmz
security-level 50
no ip address
ospf cost 10
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
switchport access vlan 3
!
passwd xyxz encrypted
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name domain.x
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service www tcp-udp
description Web traffic
port-object eq www
access-list outside_access_in remark Allow for incoming Secure SMTP requests
access-list outside_access_in extended permit tcp any interface outside eq 465
access-list outside_access_in remark Allow for incoming Secure IMAP requests
access-list outside_access_in extended permit tcp any interface outside eq 993
access-list outside_access_in remark Allow for incoming smtp requests
access-list outside_access_in extended permit tcp any interface outside eq smtp
access-list outside_access_in remark Allow for incoming https requests
access-list outside_access_in extended permit tcp any interface outside eq https
access-list outside_access_in remark Allow for incoming DNS requests
access-list outside_access_in extended permit udp any interface outside eq domain
access-list outside_access_in remark Allow for incoming DNS requests
access-list outside_access_in extended permit tcp any interface outside eq domain
access-list outside_access_in extended permit tcp any interface outside eq ssh
access-list outside_access_in remark Allow for incoming http requests
access-list outside_access_in extended permit tcp any interface outside eq www
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface www master www netmask 255.255.255.255
static (inside,outside) udp interface domain master domain netmask 255.255.255.255
static (inside,outside) tcp interface domain master domain netmask 255.255.255.255
static (inside,outside) tcp interface 465 mail 465 netmask 255.255.255.255
static (inside,outside) tcp interface 993 mail 993 netmask 255.255.255.255
static (inside,outside) tcp interface smtp mail smtp netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 17.17.17.1 1
09-15-2007 04:32 AM
I think what I am really describing here is "hairpinning". Where a packet originates on the inside interface and is immediately being asked to come back inside since the IP:Service I'm requesting is really on the inside. I'm going to try the hairpinning theory and modify my config to see if it fixes my issue. Still open to comments/solutions. Thank you!
09-15-2007 09:47 AM
Kevin, that is correct, if the destination is on the inside along with the source and need communication between the two then you apply hairpin.
same-security-traffic permit intra-interface
static (inside,inside) 61.21.1.1 192.168.1.10 netmask 255.255.255.255
http://www.cisco.com/en/US/docs/security/asa/asa70/command/reference/s.html#wp1494249
Rgds
Jorge
09-18-2007 05:59 AM
Hmm.. Well, that didn't work. Perhaps I don't understand this. Let's try a simplier example:
I have my ASA 5505 outside interface IP set to: 1.1.1.1
My inside interface network is of 192.168.1.0/24.
If I am on host 192.168.1.30, I can't even ping my 1.1.1.1 (external/public IP).
Would that be a form for "hairpinning" or not?
If it's "not" then would needs to be added to allow that icmp flow? I could then apply that to my smtp traffic,etc.
Thanks again!
09-18-2007 07:25 AM
Here's a logging message that may help us understand it:
TCP access denied by ACL from 192.168.1.30/53484 to inside:PublicIP/80
09-19-2007 01:28 PM
Problem solved - Needed to add:
global (inside) 1 interface
hehe :)
09-20-2007 11:00 AM
Great, good to know how you got it resolved.
09-20-2007 11:17 AM
Actually, I thought I had it figured out, but it's not exactly working. Indeed I can hit the web sites that are hosted internally although DNS resolves them to the external interface, but I still can't get to specific services on that outside interface. Example is Secure IMAP.
I can access secure imap fine from the outside, but no hosts on the inside can get to it.
The one thing I did add to help me get the website traffic working at least was this:
global (inside) 1 interface
Still looking for the rest of the solution.
Jorgemcse:
I felt like this might have been more of a firewall issue so I posted over there, here's the link which contains an update of my running configuration:
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide