Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2408
Views
0
Helpful
3
Replies

NAT server access through a public IP

Go to solution
Carlos Yahir Ramirez Huerta
Level 1
Level 1

‎10-01-2013 11:35 AM - edited ‎03-11-2019 07:45 PM

Hi, I have a ASA 5550 with a ios version 9. This ASA has a public ip to give access to the inside users (NAT overload) and it has an other public ip to do a static nat to connect the outside users with a  server inside of the network (http).

All works great but now, I need to achieve that if I am in the inside segment, I can access to the server but with the public ip.

for example.

I am connected in the inside network, I have a 192.168.115.80 and the server has the 192.168.115.33, If I browse the server with the 192.168.115.33, I get access to the server.

But now, instead of browse with the private ip (192.168.115.33) I want to browse with the public ip that I use to permit public user to get access.

are there any feature to do this?

Thanks!!!!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Carlos Yahir Ramirez Huerta

‎10-01-2013 02:16 PM

Hi,

The problem is with the order of the NAT configurations.

You have 2 options to make this work

  • Remove the command you just added and add it with a line number so its at the top of the NAT rules
  • Remvoe your Dynamic PAT rule for all users and enter it in a new format so it doesnt cause problem for the NAT configuration I suggested. This option will naturally cause a small outage to Internet users behind the ASA while the first option doesnt cause this.

I would rather use the second option though you might want to use the first if you dont want to cause any problems for Internet users (even though its a small outage in the connections)

First option can be done in the following way

no nat (inside,inside) source dynamic 115 interface destination static ip_publica_servicios www

nat (inside,inside) 1 source dynamic 115 interface destination static ip_publica_servicios www

The second option which I prefer would be done in this way

no nat (inside,outside) source dynamic Internet interface

nat (inside,outside) after-auto source dynamic Internet interface

The reason why I prefer removing the Dynamic PAT for Internet users and changing its configuration format is because at its current form its overriding all other NAT configurations because its configured as the higher priority NAT configuration which it really shouldnt be. By adding the "after-auto" the Dynamic PAT will still work for all the LAN users but wont interfere with the other NAT configurations like its doing now

Hope this clarifies the situation

- Jouni

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎10-01-2013 11:45 AM

Hi,

It requires you to configure a bit unusual NAT configuration and you will also have to confirm that you have a certain setting enabled.

So first you will have to confirm that you have the configuration "same-security-traffic permit intra-interface". You can show the settings with "show run same-security-traffic" command for example. This command/setting will allow the ASA to have a connection incoming and leaving through the same interface. In this case that interface would seem to be "inside".

The actual NAT configuration will be between the "inside" and "inside" interface. It will both translate the source address of the user to the "inside" interface IP address (server will see connection coming from the ASA interface IP address rather than the host directly. This is important for traffic to flow correctly with regards to the ASA) and also do the Static NAT required by the server.

Here is a NAT configuration that should work for your situation

object network SERVER-PUBLIC

host 1.1.1.1

object network SERVER-LOCAL

host 192.168.115.33

object network LAN

subnet 192.168.115.0 255.255.255.0

nat (inside,inside) source dynamic LAN interface destination static SERVER-PUBLIC SERVER-LOCAL

Hope this helps

Please  do remember to mark a reply as the correct answer if it answered your question.

Feel free to ask more if needed

- Jouni

0 Helpful

Go to solution
Carlos Yahir Ramirez Huerta
Level 1
Level 1
In response to Jouni Forss

‎10-01-2013 02:08 PM

Hi JouniForss thanks for your help.

I applied the comands like you said, but I can not connect yet.

I have the "same-security-traffic permit intra-interface" command and these are my nat and objects:


object network www

host 192.168.115.32

object network ip_publica_servicios

host 187.157.145.182

object network 115

subnet 192.168.115.0 255.255.255.0

object-group network Internet

description Vlans permitidas a internet

network-object 192.168.111.0 255.255.255.0

network-object 192.168.112.0 255.255.255.0

network-object 192.168.115.0 255.255.255.0

network-object 192.168.88.0 255.255.255.0

nat (inside,outside) source dynamic Internet interface

nat (inside,outside) source static any any destination static usuarios_vpn usuarios_vpn no-proxy-arp route-lookup

nat (inside,inside) source dynamic 115 interface destination static ip_publica_servicios www

!

object network www

nat (inside,outside) static ip_publica_servicios service tcp www www

Do you think that the other nat can cause the problem?

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Carlos Yahir Ramirez Huerta

‎10-01-2013 02:16 PM

Hi,

The problem is with the order of the NAT configurations.

You have 2 options to make this work

  • Remove the command you just added and add it with a line number so its at the top of the NAT rules
  • Remvoe your Dynamic PAT rule for all users and enter it in a new format so it doesnt cause problem for the NAT configuration I suggested. This option will naturally cause a small outage to Internet users behind the ASA while the first option doesnt cause this.

I would rather use the second option though you might want to use the first if you dont want to cause any problems for Internet users (even though its a small outage in the connections)

First option can be done in the following way

no nat (inside,inside) source dynamic 115 interface destination static ip_publica_servicios www

nat (inside,inside) 1 source dynamic 115 interface destination static ip_publica_servicios www

The second option which I prefer would be done in this way

no nat (inside,outside) source dynamic Internet interface

nat (inside,outside) after-auto source dynamic Internet interface

The reason why I prefer removing the Dynamic PAT for Internet users and changing its configuration format is because at its current form its overriding all other NAT configurations because its configured as the higher priority NAT configuration which it really shouldnt be. By adding the "after-auto" the Dynamic PAT will still work for all the LAN users but wont interfere with the other NAT configurations like its doing now

Hope this clarifies the situation

- Jouni

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card