ASA 5505 8.4(2) allow internal user to access internal www server with only one public IP

Unanswered Question
Aug 2nd, 2011
User Badges:

I tried the solution posted at https://supportforums.cisco.com/message/3390056#3390056 however it did not work on my ASA5505 8.4(2). I thought that it may be because I only have a single public address so the web server is responding to port forwarding through the one public IP already. looking in ASDM it appears to indicate that a configured access list is blocking the server from responding to the internal hosts.


object network Private_IP

host 192.168.1.15

object network Public_IP

host 1.1.1.1

object-group network internal_net

network-object 192.168.1.0 255.255.255.0

access-list outside_access_in extended permit tcp any host 192.168.1.15 eq www

nat (inside,inside) source dynamic internal_net interface destination static Public_IP Private_IP

object network obj_any

nat (inside,outside) dynamic interface

object network Private_IP

nat (inside,outside) static interface service tcp www www

access-group outside_access_in in interface outside


Can I fix an access list (or something) to make this work or am I wishing for too much with only one public IP? This worked by default on my Netgear firewall.


Thanks,

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
varrao Tue, 08/02/2011 - 23:30
User Badges:
  • Red, 2250 points or more

Hi Joe,


You woudl also need the command;


same-security-traffic permit intra-interface


Could you also provide an output of show run from your firewall.


Thanks,

Varun

joeippolito Wed, 08/03/2011 - 07:27
User Badges:

Rao,


Thanks much. That did fix the problem for internal host however it cut off the external too. I can play with the internal range and try to see if that fixes it. I could post the full sh run but it takes some time to change all the sensitive stuff - maybe this evening if I still don't have it working.


Thanks,


Joe

varrao Wed, 08/03/2011 - 08:37
User Badges:
  • Red, 2250 points or more

Sure Joe, let me know if you get stuck anywhere, or else you can just provide me these outputs:


show run nat

show run access-list

show run access-group

show run same



This would be enuf.


Thanks,

Varun

joeippolito Wed, 08/03/2011 - 18:28
User Badges:

Varun,


It worked like a champ this time and this is what I did basically:


object network Private_IP

host 192.168.1.15

object network Public_IP

host 1.1.1.1

object network dhcp_range

range 192.168.1.1 192.168.1.32

access-list outside_access_in extended permit tcp any host 192.168.1.15 eq www

nat (inside,inside) source dynamic dhcp_range interface destination static Public_IP Private_IP

same-security-traffic permit intra-interface

object network obj_any

nat (inside,outside) dynamic interface


Thanks for all your help. Now I will pursue getting it to do DNS resolution so that the Public_IP can be a fqdn instead of the DHCP address from my ISP, then ssh to manage it and IPv6.

Actions

This Discussion