09-20-2007 11:10 AM - edited 03-11-2019 04:14 AM
Hi folks,
Still working through my ASA set up and am experiencing the following behavior.
Consider a host (192.168.1.30) on the inside interface trying to access a mail server that resolves to an external ip address, which happens to be my outside interface (1.1.1.1)
I'm not able to connect to a secure IMAP service on that 1.1.1.1 interface when I'm on the host that's on the inside interface (192.168.1.0/24)
Below is the relevant areas of my config, can someone please point out where I've gone wrong? Thanks much!
I should point out that the service on the outside interface does NAT to an internal host named mail. Sounds like hairpin, but I swear that's enabled and not working.
ASA Version 7.2(2)
names
name 192.168.1.20 master
name 192.168.1.10 mail
name 192.168.1.3 yoda
name 1.1.1.1 PublicIP
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list outside_access_in remark Allow for incoming FTP requests
access-list outside_access_in extended permit tcp any interface outside eq ftp
access-list outside_access_in remark Allow for incoming Secure SMTP requests
access-list outside_access_in extended permit tcp any interface outside eq 465
access-list outside_access_in remark Allow for incoming Secure IMAP requests
access-list outside_access_in extended permit tcp any interface outside eq 993
access-list outside_access_in remark Allow for incoming smtp requests
access-list outside_access_in extended permit tcp any interface outside eq smtp
access-list outside_access_in remark Allow for incoming https requests
access-list outside_access_in extended permit tcp any interface outside eq https
access-list outside_access_in remark Allow for incoming DNS requests
access-list outside_access_in extended permit udp any interface outside eq domain
access-list outside_access_in remark Allow for incoming DNS requests
access-list outside_access_in extended permit tcp any interface outside eq domain
access-list outside_access_in remark Allow for incoming ssh requests
access-list outside_access_in extended permit tcp any interface outside eq ssh
access-list outside_access_in remark Allow for incoming http requests
access-list outside_access_in extended permit tcp any interface outside eq www
global (inside) 1 interface
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface www master www netmask 255.255.255.255
static (inside,outside) udp interface domain master domain netmask 255.255.255.255
static (inside,outside) tcp interface domain master domain netmask 255.255.255.255
static (inside,outside) tcp interface 465 mail 465 netmask 255.255.255.255
static (inside,outside) tcp interface 993 mail 993 netmask 255.255.255.255
static (inside,outside) tcp interface https mail https netmask 255.255.255.255
static (inside,outside) tcp interface smtp mail smtp netmask 255.255.255.255
static (inside,outside) tcp interface ssh yoda ssh netmask 255.255.255.255
static (inside,inside) PublicIP master netmask 255.255.255.255
Solved! Go to Solution.
09-26-2007 12:35 PM
I know, that's the problem with pat.
Not sure if this will work, I never tried...
static (inside,inside) tcp PublicIP 25 mail 25 netmask 255.255.255.255
static (inside,inside) tcp PublicIP 80 master 80 netmask 255.255.255.255
09-26-2007 10:26 AM
Your config looks fine, this does not seems to be hairpin issue. However to rule out the possibility of hairpinning problem try to send some other traffic and check if this works. Also check if you are getting any drops on the ASA.
09-26-2007 11:14 AM
see if this link helps you understand your problem - and the solution.
http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/cfgnat.html#wp1042753
09-26-2007 11:42 AM
Srue,
I believe this is close, the only issue is that depending on the service I'm after (http, ssh, imap) they all run on a different inside ip address.
So, although the ftp.cisco.com example looks good, if I resolve ssh.cisco.com and it comes back to the same public ip as ftp.cisco.com, but it's really NATed to a different inside ip than the ftp site, how do I deal with that?
Can I add some sort of service designator?
So, as an example:
ftp.cisco.com resolves to public 209.1.1.1, but internally it's running on 10.1.1.1
ssh.cisco.com resolves to public 209.1.1.1,
but internally it's running on 10.1.1.2
Does that make sense as to what I'm trying to do?
Thanks, Kevin
09-26-2007 11:49 AM
DNS Doctoring is not compatible with PAT.
09-26-2007 11:55 AM
Your hairpin configuration looks fine. Could you get some logging going while you are trying the hairpin?
I'm going to guess it's because of the pat as well. Instead of having...
static (inside,outside) PublicIP master netmask 255.255.255.255
static (inside,inside) PublicIP master netmask 255.255.255.255
you have....
static (inside,outside) tcp interface www master www netmask 255.255.255.255
static (inside,outside) udp interface domain master domain netmask 255.255.255.255
static (inside,outside) tcp interface domain master domain netmask 255.255.255.255
static (inside,inside) PublicIP master netmask 255.255.255.255
09-26-2007 12:07 PM
Logging below... This is when I attempt to attach to my mail server on port 993 from inside host 192.168.1.30.
I see an issue here, it should _not_ be master/993 it should be mail/993 (mail being 192.168.1.10) where as master is 192.168.1.20 and that's not my mail server. It must be the issue and is probably related to this rule:
static (inside,inside) PublicIP master netmask 255.255.255.255
How is that fixed (read log bottom to top here)?
6|Sep 26 2007|15:56:46|302014|192.168.1.30|master|Teardown TCP connection 359499 for inside:192.168.1.30/53706 to inside:master/993 duration 0:00:00 bytes 0 TCP Reset-O
6|Sep 26 2007|15:56:46|302013|192.168.1.30|master|Built inbound TCP connection 359499 for inside:192.168.1.30/53706 (192.168.1.1/3977) to inside:master/993 (PublicIP/993)
6|Sep 26 2007|15:56:46|305011|192.168.1.30|192.168.1.1|Built dynamic TCP translation from inside:192.168.1.30/53706 to inside:192.168.1.1/3977
6|Sep 26 2007|15:56:46|302014|192.168.1.30|master|Teardown TCP connection 359498 for inside:192.168.1.30/53705 to inside:master/993 duration 0:00:00 bytes 0 TCP Reset-O
6|Sep 26 2007|15:56:46|302013|192.168.1.30|master|Built inbound TCP connection 359498 for inside:192.168.1.30/53705 (192.168.1.1/3976) to inside:master/993 (PublicIP/993)
6|Sep 26 2007|15:56:46|305011|192.168.1.30|192.168.1.1|Built dynamic TCP translation from inside:192.168.1.30/53705 to inside:192.168.1.1/3976
Thanks!
09-26-2007 12:10 PM
If you are trying to hit mail you would have to have
static (inside,inside) PublicIP mail netmask 255.255.255.255
09-26-2007 12:28 PM
True, but I can't add that along side of the static (inside,inside) PublicIP master netmask 255.255.255.255
Problem with overlappying rules.
See I want to hit master for the websites and mail for the mail services, but of which are on the inside and I'm on the inside.
Any other suggestions?
Thanks!
09-26-2007 12:35 PM
I know, that's the problem with pat.
Not sure if this will work, I never tried...
static (inside,inside) tcp PublicIP 25 mail 25 netmask 255.255.255.255
static (inside,inside) tcp PublicIP 80 master 80 netmask 255.255.255.255
09-26-2007 12:41 PM
Woo Hoo! It works! Thanks a ton!!
09-26-2007 12:44 PM
Cool...not sure if it would or not. Thanks for the rating.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: