ASA 5505 web servers not accessable internally

Answered Question
Jul 28th, 2008
User Badges:

We have some web servers set up internally, I have NAT configured and they are working if you type in a domain URL from an external network, but if you type in the same domain URL on a computer in the internal network, it throws a "portmap translation" error. Does anyone know what causes this? I have gotten it to stop giving me an error when I mess around with the NAT settings but the page will never parse.



More info on the connections, right now we have 2 WAN connections, one is for internal DHCP clients inside - outside, and one is a faster connections outside - inside for the web servers.


We have a block of 13 statics on both connections, but only the T1 connection is using more than one. Thanks for any advice you can provide, and yes my config is messy, and my ACLs are goofy, but I spent my weekend learning this stuff.


ATTACHED CONFIG: Result of the command: "show running-config"





Attachment: 
Correct Answer by JORGE RODRIGUEZ about 8 years 11 months ago

from inside you are accessing your own public webserver but the request is pointing to public IP , try hairpining solution on same page assuming 192.168.1.100 is the webserver in interface inside.



same-security-traffic permit intra-interface

static (inside,inside) xxx.xxx.123.197 192.168.1.100



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (2 ratings)
Loading.
maver1ck4000 Mon, 07/28/2008 - 13:56
User Badges:

I went through and looked at that some, but it's not helping my problems any. I got to the point where it's timing out now instead of being completely dropped, but I still can't pull up a web page. Kind of frustrating to be so close.

Correct Answer
JORGE RODRIGUEZ Mon, 07/28/2008 - 14:20
User Badges:
  • Green, 3000 points or more

from inside you are accessing your own public webserver but the request is pointing to public IP , try hairpining solution on same page assuming 192.168.1.100 is the webserver in interface inside.



same-security-traffic permit intra-interface

static (inside,inside) xxx.xxx.123.197 192.168.1.100



maver1ck4000 Tue, 07/29/2008 - 08:20
User Badges:

At first I didn't think it was working, I went back through in CLI and cleaned out all my NAT stuff and started fresh. The hairpining solution worked! Here is what I did.


Since I have 3 interfaces I had to set up two separate NAT's for each.


same-security-traffic permit intra-interface

static (inside,inside) xxx.xxx.123.197 192.168.1.100


was only the beginning


What I have is a little different since it's not really a DMZ, it's 2 WAN connections, but I kind of treated my T1 line as a DMZ even though the ASA doesn't see it as such.


The biggest thing I think was adding the


global (inside) 1 interface

along with

global (Cable) 1 interface


Interface names:

outside = cable

inside = inside

dmzish = T1

Two entries are needed in NAT for internal:

static (inside,Cable) xxx.xxx.123.197 192.168.1.100 netmask 255.255.255.255

static (inside,inside) xxx.xxx.123.197 192.168.1.100 netmask 255.255.255.255


and one for external:

static (inside,T1) xxx.xxx.123.197 192.168.1.100 netmask 255.255.255.255


Thank you to everyone who helped out, this was a tough one for me being a beginner, now I have a very good understanding of NAT :)



Actions

This Discussion