Solved: Can't access services that live on outside interface from inside interface

kcaporaso · ‎09-20-2007

Hi folks,

Still working through my ASA set up and am experiencing the following behavior.

Consider a host (192.168.1.30) on the inside interface trying to access a mail server that resolves to an external ip address, which happens to be my outside interface (1.1.1.1)

I'm not able to connect to a secure IMAP service on that 1.1.1.1 interface when I'm on the host that's on the inside interface (192.168.1.0/24)

Below is the relevant areas of my config, can someone please point out where I've gone wrong? Thanks much!

I should point out that the service on the outside interface does NAT to an internal host named mail. Sounds like hairpin, but I swear that's enabled and not working.

ASA Version 7.2(2)

names

name 192.168.1.20 master

name 192.168.1.10 mail

name 192.168.1.3 yoda

name 1.1.1.1 PublicIP

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list outside_access_in remark Allow for incoming FTP requests

access-list outside_access_in extended permit tcp any interface outside eq ftp

access-list outside_access_in remark Allow for incoming Secure SMTP requests

access-list outside_access_in extended permit tcp any interface outside eq 465

access-list outside_access_in remark Allow for incoming Secure IMAP requests

access-list outside_access_in extended permit tcp any interface outside eq 993

access-list outside_access_in remark Allow for incoming smtp requests

access-list outside_access_in extended permit tcp any interface outside eq smtp

access-list outside_access_in remark Allow for incoming https requests

access-list outside_access_in extended permit tcp any interface outside eq https

access-list outside_access_in remark Allow for incoming DNS requests

access-list outside_access_in extended permit udp any interface outside eq domain

access-list outside_access_in remark Allow for incoming DNS requests

access-list outside_access_in extended permit tcp any interface outside eq domain

access-list outside_access_in remark Allow for incoming ssh requests

access-list outside_access_in extended permit tcp any interface outside eq ssh

access-list outside_access_in remark Allow for incoming http requests

access-list outside_access_in extended permit tcp any interface outside eq www

global (inside) 1 interface

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp interface www master www netmask 255.255.255.255

static (inside,outside) udp interface domain master domain netmask 255.255.255.255

static (inside,outside) tcp interface domain master domain netmask 255.255.255.255

static (inside,outside) tcp interface 465 mail 465 netmask 255.255.255.255

static (inside,outside) tcp interface 993 mail 993 netmask 255.255.255.255

static (inside,outside) tcp interface https mail https netmask 255.255.255.255

static (inside,outside) tcp interface smtp mail smtp netmask 255.255.255.255

static (inside,outside) tcp interface ssh yoda ssh netmask 255.255.255.255

static (inside,inside) PublicIP master netmask 255.255.255.255

acomiskey · ‎09-26-2007

I know, that's the problem with pat.

Not sure if this will work, I never tried...

static (inside,inside) tcp PublicIP 25 mail 25 netmask 255.255.255.255

static (inside,inside) tcp PublicIP 80 master 80 netmask 255.255.255.255

View solution in original post

didyap · ‎09-26-2007

Your config looks fine, this does not seems to be hairpin issue. However to rule out the possibility of hairpinning problem try to send some other traffic and check if this works. Also check if you are getting any drops on the ASA.

srue · ‎09-26-2007

see if this link helps you understand your problem - and the solution.

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/cfgnat.html#wp1042753

kcaporaso · ‎09-26-2007

Srue,

I believe this is close, the only issue is that depending on the service I'm after (http, ssh, imap) they all run on a different inside ip address.

So, although the ftp.cisco.com example looks good, if I resolve ssh.cisco.com and it comes back to the same public ip as ftp.cisco.com, but it's really NATed to a different inside ip than the ftp site, how do I deal with that?

Can I add some sort of service designator?

So, as an example:

ftp.cisco.com resolves to public 209.1.1.1, but internally it's running on 10.1.1.1

ssh.cisco.com resolves to public 209.1.1.1,

but internally it's running on 10.1.1.2

Does that make sense as to what I'm trying to do?

Thanks, Kevin

acomiskey · ‎09-26-2007

DNS Doctoring is not compatible with PAT.

acomiskey · ‎09-26-2007

Your hairpin configuration looks fine. Could you get some logging going while you are trying the hairpin?

I'm going to guess it's because of the pat as well. Instead of having...

static (inside,outside) PublicIP master netmask 255.255.255.255

static (inside,inside) PublicIP master netmask 255.255.255.255

you have....

static (inside,outside) tcp interface www master www netmask 255.255.255.255

static (inside,outside) udp interface domain master domain netmask 255.255.255.255

static (inside,outside) tcp interface domain master domain netmask 255.255.255.255

static (inside,inside) PublicIP master netmask 255.255.255.255

kcaporaso · ‎09-26-2007

Logging below... This is when I attempt to attach to my mail server on port 993 from inside host 192.168.1.30.

I see an issue here, it should _not_ be master/993 it should be mail/993 (mail being 192.168.1.10) where as master is 192.168.1.20 and that's not my mail server. It must be the issue and is probably related to this rule:

static (inside,inside) PublicIP master netmask 255.255.255.255

How is that fixed (read log bottom to top here)?

6|Sep 26 2007|15:56:46|302014|192.168.1.30|master|Teardown TCP connection 359499 for inside:192.168.1.30/53706 to inside:master/993 duration 0:00:00 bytes 0 TCP Reset-O

6|Sep 26 2007|15:56:46|302013|192.168.1.30|master|Built inbound TCP connection 359499 for inside:192.168.1.30/53706 (192.168.1.1/3977) to inside:master/993 (PublicIP/993)

6|Sep 26 2007|15:56:46|305011|192.168.1.30|192.168.1.1|Built dynamic TCP translation from inside:192.168.1.30/53706 to inside:192.168.1.1/3977

6|Sep 26 2007|15:56:46|302014|192.168.1.30|master|Teardown TCP connection 359498 for inside:192.168.1.30/53705 to inside:master/993 duration 0:00:00 bytes 0 TCP Reset-O

6|Sep 26 2007|15:56:46|302013|192.168.1.30|master|Built inbound TCP connection 359498 for inside:192.168.1.30/53705 (192.168.1.1/3976) to inside:master/993 (PublicIP/993)

6|Sep 26 2007|15:56:46|305011|192.168.1.30|192.168.1.1|Built dynamic TCP translation from inside:192.168.1.30/53705 to inside:192.168.1.1/3976

Thanks!

acomiskey · ‎09-26-2007

If you are trying to hit mail you would have to have

static (inside,inside) PublicIP mail netmask 255.255.255.255

kcaporaso · ‎09-26-2007

True, but I can't add that along side of the static (inside,inside) PublicIP master netmask 255.255.255.255

Problem with overlappying rules.

See I want to hit master for the websites and mail for the mail services, but of which are on the inside and I'm on the inside.

Any other suggestions?

Thanks!

acomiskey · ‎09-26-2007

I know, that's the problem with pat.

Not sure if this will work, I never tried...

static (inside,inside) tcp PublicIP 25 mail 25 netmask 255.255.255.255

static (inside,inside) tcp PublicIP 80 master 80 netmask 255.255.255.255

kcaporaso · ‎09-26-2007

Woo Hoo! It works! Thanks a ton!!

acomiskey · ‎09-26-2007

Cool...not sure if it would or not. Thanks for the rating.