Can't access services that live on outside interface from inside interface

Answered Question
Sep 20th, 2007
User Badges:

Hi folks,

Still working through my ASA set up and am experiencing the following behavior.


Consider a host (192.168.1.30) on the inside interface trying to access a mail server that resolves to an external ip address, which happens to be my outside interface (1.1.1.1)


I'm not able to connect to a secure IMAP service on that 1.1.1.1 interface when I'm on the host that's on the inside interface (192.168.1.0/24)


Below is the relevant areas of my config, can someone please point out where I've gone wrong? Thanks much!


I should point out that the service on the outside interface does NAT to an internal host named mail. Sounds like hairpin, but I swear that's enabled and not working.


ASA Version 7.2(2)


names

name 192.168.1.20 master

name 192.168.1.10 mail

name 192.168.1.3 yoda

name 1.1.1.1 PublicIP


same-security-traffic permit inter-interface

same-security-traffic permit intra-interface



access-list outside_access_in remark Allow for incoming FTP requests

access-list outside_access_in extended permit tcp any interface outside eq ftp

access-list outside_access_in remark Allow for incoming Secure SMTP requests

access-list outside_access_in extended permit tcp any interface outside eq 465

access-list outside_access_in remark Allow for incoming Secure IMAP requests

access-list outside_access_in extended permit tcp any interface outside eq 993

access-list outside_access_in remark Allow for incoming smtp requests

access-list outside_access_in extended permit tcp any interface outside eq smtp

access-list outside_access_in remark Allow for incoming https requests

access-list outside_access_in extended permit tcp any interface outside eq https

access-list outside_access_in remark Allow for incoming DNS requests

access-list outside_access_in extended permit udp any interface outside eq domain

access-list outside_access_in remark Allow for incoming DNS requests

access-list outside_access_in extended permit tcp any interface outside eq domain

access-list outside_access_in remark Allow for incoming ssh requests

access-list outside_access_in extended permit tcp any interface outside eq ssh

access-list outside_access_in remark Allow for incoming http requests

access-list outside_access_in extended permit tcp any interface outside eq www


global (inside) 1 interface

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0


static (inside,outside) tcp interface www master www netmask 255.255.255.255

static (inside,outside) udp interface domain master domain netmask 255.255.255.255

static (inside,outside) tcp interface domain master domain netmask 255.255.255.255

static (inside,outside) tcp interface 465 mail 465 netmask 255.255.255.255

static (inside,outside) tcp interface 993 mail 993 netmask 255.255.255.255

static (inside,outside) tcp interface https mail https netmask 255.255.255.255

static (inside,outside) tcp interface smtp mail smtp netmask 255.255.255.255

static (inside,outside) tcp interface ssh yoda ssh netmask 255.255.255.255

static (inside,inside) PublicIP master netmask 255.255.255.255




Correct Answer by acomiskey about 9 years 6 months ago

I know, that's the problem with pat.


Not sure if this will work, I never tried...


static (inside,inside) tcp PublicIP 25 mail 25 netmask 255.255.255.255

static (inside,inside) tcp PublicIP 80 master 80 netmask 255.255.255.255

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
didyap Wed, 09/26/2007 - 10:26
User Badges:
  • Silver, 250 points or more

Your config looks fine, this does not seems to be hairpin issue. However to rule out the possibility of hairpinning problem try to send some other traffic and check if this works. Also check if you are getting any drops on the ASA.

kcaporaso Wed, 09/26/2007 - 11:42
User Badges:

Srue,

I believe this is close, the only issue is that depending on the service I'm after (http, ssh, imap) they all run on a different inside ip address.


So, although the ftp.cisco.com example looks good, if I resolve ssh.cisco.com and it comes back to the same public ip as ftp.cisco.com, but it's really NATed to a different inside ip than the ftp site, how do I deal with that?


Can I add some sort of service designator?


So, as an example:


ftp.cisco.com resolves to public 209.1.1.1, but internally it's running on 10.1.1.1


ssh.cisco.com resolves to public 209.1.1.1,

but internally it's running on 10.1.1.2


Does that make sense as to what I'm trying to do?

Thanks, Kevin

acomiskey Wed, 09/26/2007 - 11:49
User Badges:
  • Green, 3000 points or more

DNS Doctoring is not compatible with PAT.

acomiskey Wed, 09/26/2007 - 11:55
User Badges:
  • Green, 3000 points or more

Your hairpin configuration looks fine. Could you get some logging going while you are trying the hairpin?


I'm going to guess it's because of the pat as well. Instead of having...


static (inside,outside) PublicIP master netmask 255.255.255.255

static (inside,inside) PublicIP master netmask 255.255.255.255


you have....


static (inside,outside) tcp interface www master www netmask 255.255.255.255

static (inside,outside) udp interface domain master domain netmask 255.255.255.255

static (inside,outside) tcp interface domain master domain netmask 255.255.255.255

static (inside,inside) PublicIP master netmask 255.255.255.255



kcaporaso Wed, 09/26/2007 - 12:07
User Badges:

Logging below... This is when I attempt to attach to my mail server on port 993 from inside host 192.168.1.30.


I see an issue here, it should _not_ be master/993 it should be mail/993 (mail being 192.168.1.10) where as master is 192.168.1.20 and that's not my mail server. It must be the issue and is probably related to this rule:

static (inside,inside) PublicIP master netmask 255.255.255.255


How is that fixed (read log bottom to top here)?


6|Sep 26 2007|15:56:46|302014|192.168.1.30|master|Teardown TCP connection 359499 for inside:192.168.1.30/53706 to inside:master/993 duration 0:00:00 bytes 0 TCP Reset-O


6|Sep 26 2007|15:56:46|302013|192.168.1.30|master|Built inbound TCP connection 359499 for inside:192.168.1.30/53706 (192.168.1.1/3977) to inside:master/993 (PublicIP/993)


6|Sep 26 2007|15:56:46|305011|192.168.1.30|192.168.1.1|Built dynamic TCP translation from inside:192.168.1.30/53706 to inside:192.168.1.1/3977


6|Sep 26 2007|15:56:46|302014|192.168.1.30|master|Teardown TCP connection 359498 for inside:192.168.1.30/53705 to inside:master/993 duration 0:00:00 bytes 0 TCP Reset-O


6|Sep 26 2007|15:56:46|302013|192.168.1.30|master|Built inbound TCP connection 359498 for inside:192.168.1.30/53705 (192.168.1.1/3976) to inside:master/993 (PublicIP/993)


6|Sep 26 2007|15:56:46|305011|192.168.1.30|192.168.1.1|Built dynamic TCP translation from inside:192.168.1.30/53705 to inside:192.168.1.1/3976


Thanks!

acomiskey Wed, 09/26/2007 - 12:10
User Badges:
  • Green, 3000 points or more

If you are trying to hit mail you would have to have


static (inside,inside) PublicIP mail netmask 255.255.255.255

kcaporaso Wed, 09/26/2007 - 12:28
User Badges:

True, but I can't add that along side of the static (inside,inside) PublicIP master netmask 255.255.255.255


Problem with overlappying rules.

See I want to hit master for the websites and mail for the mail services, but of which are on the inside and I'm on the inside.


Any other suggestions?

Thanks!

Correct Answer
acomiskey Wed, 09/26/2007 - 12:35
User Badges:
  • Green, 3000 points or more

I know, that's the problem with pat.


Not sure if this will work, I never tried...


static (inside,inside) tcp PublicIP 25 mail 25 netmask 255.255.255.255

static (inside,inside) tcp PublicIP 80 master 80 netmask 255.255.255.255

acomiskey Wed, 09/26/2007 - 12:44
User Badges:
  • Green, 3000 points or more

Cool...not sure if it would or not. Thanks for the rating.

Actions

This Discussion