ASA 5505 8.4(2) allow internal user to access internal www server with only one public IP

Unanswered Question
Aug 2nd, 2011

I tried the solution posted at https://supportforums.cisco.com/message/3390056#3390056 however it did not work on my ASA5505 8.4(2). I thought that it may be because I only have a single public address so the web server is responding to port forwarding through the one public IP already. looking in ASDM it appears to indicate that a configured access list is blocking the server from responding to the internal hosts.

object network Private_IP

host 192.168.1.15

object network Public_IP

host 1.1.1.1

object-group network internal_net

network-object 192.168.1.0 255.255.255.0

access-list outside_access_in extended permit tcp any host 192.168.1.15 eq www

nat (inside,inside) source dynamic internal_net interface destination static Public_IP Private_IP

object network obj_any

nat (inside,outside) dynamic interface

object network Private_IP

nat (inside,outside) static interface service tcp www www

access-group outside_access_in in interface outside

Can I fix an access list (or something) to make this work or am I wishing for too much with only one public IP? This worked by default on my Netgear firewall.

Thanks,

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (0 ratings)
varrao Tue, 08/02/2011 - 23:30

Hi Joe,

You woudl also need the command;

same-security-traffic permit intra-interface

Could you also provide an output of show run from your firewall.

Thanks,

Varun

joeippolito Wed, 08/03/2011 - 07:27

Rao,

Thanks much. That did fix the problem for internal host however it cut off the external too. I can play with the internal range and try to see if that fixes it. I could post the full sh run but it takes some time to change all the sensitive stuff - maybe this evening if I still don't have it working.

Thanks,

Joe

varrao Wed, 08/03/2011 - 08:37

Sure Joe, let me know if you get stuck anywhere, or else you can just provide me these outputs:

show run nat

show run access-list

show run access-group

show run same

This would be enuf.

Thanks,

Varun

joeippolito Wed, 08/03/2011 - 18:28

Varun,

It worked like a champ this time and this is what I did basically:

object network Private_IP

host 192.168.1.15

object network Public_IP

host 1.1.1.1

object network dhcp_range

range 192.168.1.1 192.168.1.32

access-list outside_access_in extended permit tcp any host 192.168.1.15 eq www

nat (inside,inside) source dynamic dhcp_range interface destination static Public_IP Private_IP

same-security-traffic permit intra-interface

object network obj_any

nat (inside,outside) dynamic interface

Thanks for all your help. Now I will pursue getting it to do DNS resolution so that the Public_IP can be a fqdn instead of the DHCP address from my ISP, then ssh to manage it and IPv6.

Actions

Login or Register to take actions

This Discussion

Posted August 2, 2011 at 11:22 PM
Stats:
Replies:4 Avg. Rating:
Views:687 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard

Rank Username Points
1 7,861
2 6,140
3 3,170
4 1,473
5 1,446