Allow egress traffic on an outside interface back in the same interface

pootboy69 · ‎06-30-2010

Our web site is hosted on our internal network (not on a DMZ). Attempting to contact it from the INSIDE network, through our ASA5510 at its DNS-acquired public internet address fails. Access to this site from OUTSIDE works. Both "same-security-traffic permit inter-interface", and
"same-security-traffic permit intra-interface" are configured. Do I need a static route? If so, how is this configured? Thanx!

Kureli Sankar · ‎06-30-2010

You only need intra-interface.

You need static (inside,inside) 10.10.10.1 10.10.10.1

for the host that is trying to load the page using the public address. and also

static (inside,inside) public_IP_of_webserver private_ip_webserver

BTW, the correct way to do this is to access the server using it private address from the inside and not the translated address.

-KS

pootboy69 · ‎06-30-2010

Excellent! BTW, as I am the newbie here, I didn't know the inside web server address. It turns out that this type of issue has been buggeing these folks for a while. I'll implement this and let you know the results. Thank you!

Wolf

pootboy69 · ‎06-30-2010

Well, that didn't work. I applied:

static (in_Laker,in_Laker) 10.10.30.208 10.10.30.208
static (in_Laker,in_Laker) 192.168.1.232 10.10.30.156

where 10.10.30.208 is my machine, 192..168.1.232 is the outside and 10.10.30.156 the inside IP of the web server. in_Laker is the name of the inside interface. Any additional thoughts? Thanx!

Wolf

Michael Dombek · ‎07-02-2010

maybe you are better of with this solution (depending on the location of your DNS)

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968d1.shtml

btw you should change the puplic IP address in your last post.

Cheers Michael