For instance, if my outside IP address were 10.10.10.10, and I tried to access this IP address from inside my LAN (on a 192.168.1.100 machine), I am getting blocked. I can access 10.10.10.10 from outside the LAN (from a proxy lets say).

This also rears its ugly head with SSH (Putty) with tunnels. I can establish a SSH connection, but as soon as I tunnel, it cannot connect (I am assuming that is b/c the SSH server inside the LAN cannot see the outside IP address which is the tunnel destination).

HI-

I'm still a bit unclear on what the issue is. Are you saying that 10.10.10.10 is the outside interface of the ASA and you can connect to it via telnet from the outise but not from inside your LAN? There is a command that you can add to allow access:

telnet [source ip] [source mask] inside

telnet [source ip] [source mask] outside

specify the network or host (use a /32 for the mask if specifying a host) that you are telneting from. the inside\outside designates which interface you are allowing access to. You can also do this with ssh:

ssh [source ip] [source mask] outside

I need more detail on your tunneling issue.

HTH,

Paul

This is any protocol/port. I can't even pull up a browser and hit my web server (outside ip address) from inside the LAN.

Wouldn't this be defaulted to on? Why would I be blocked by default to my own outside interface?

I am using the GUI. Could you tell me what I would do in the GUI to allow an inside IP address to access the Outside Interface IP address?

Hi, from what I can understand seems you are trying a U-turn traffic. You are trying to connect to an inside system using its nated address on the outside , is this correct? if so you are looking at hairpining same-security-traffic permit intra-interface, allows traffic to exit out on the interface it was received on or look into dns doctoring.

go over these two links

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968d1.shtml

http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/s1_72.html#wp1289167

Rgds

Jorge

I think that your config may have an error in it. Can you post your whole config with any public IP addresses removed please?

Thanks,

Paul

Hello,

The ASAs normal behave is that from inside interface network you can't reach the other interfaces like from inside network you can't ping (reach) your ASA's outside interface. From inside network you can't ping the DMZ interface, but can reach the hosts on the DMZ (if ACL permits the traffic). Regarding the inside-outside interface relation: probably the servers have a NAT-ted address, it means that your servers have private addresses and public at the same time, from inside network you can't reach the public IP of the servers, since you try to reach your servers through inside interface - outside interface direction, instead of from outside direction.

There is no way to reach your internally hosted servers from inside with their public NAT-ted address and there is no meaning to do that (from inside network I usually want to reach my servers through a protected link, eg: inside to dmz). If you make a DNS record in your name server you can set in in the internal zone Server1 record pointing to private and in the public DNS server pointing to the Public IP address.

If you have any further question or something is still unclear let me know.

bye

FCS

Please rate me if I helped.

I'm sorry, this just makes no sense. There is no meaning to test an internal server from the public IP address?? huh?

Anyways, here is another reason why you would do that (and a major reason for me as well). I use SSH to tunnel through a specific port that is then forwarded to the appropiate address. This address must be the PUBLIC IP address of my router. But because the SSH server, running internally, cannot see the outside IP address, this entire process breaks down.

I will try the loop-back idea tonight and see if that helps. Really, this is a very bizarre issue to me -- why should you have any issue looking up a PUBLIC IP address -- whether it was on your router or someone else's router. Shouldn't make a difference.

Sir,

I've never do a test for my servers' public IP from the Internal network. If I want to do a test for the Public NATted address I use an external host. If your default route is through the ASA, how can the ASA reach the NAT global address which is NAT-ted to a virtual address.

If your router is front of the firewall and has a valid public address you should be able to connect it, through the firewall if ACL-s are permit it. But from inside network to the outside interface of the ASA and other global NAT address you can't connect. Of course Hosts sits on the same subnet as the outside interface of the ASA whose has real interfaces (not natted) are accessible with SSH or any other protocols.

bye

FCS

Please rate me if I helped.