I have a small issue with a small network. I have two servers and a LAN behind a 5505 in one vlan. The servers are natted/port forwarded out using the outside interface's public addressing.
One server for ssh
One server for http(s)
Let's say the servers are 192.168.1.20 and 21
.21 is the web server
The LAN uses public dns provided by the ISP. DHCP range is 192.168.1.50-100 and provided by the ASA
On the LAN, it cannot route to the webserver due to only having the one inside vlan and one outside vlan. I cannot break the servers off to another vlan due to issues with an outside consultant.
So when trying to hit the url of our website, it attempts to hit the outside interface ip of the ASA and cannot due to only having the singular default route out. Is there a way to nat this or route it so that the internal clients can hit the outside interface and see the website without using the internal IP of the webserver? I can provide some config if needed.
So you want the users to be able to connect to the public IP address specifically from the LAN?
Could you tell us the software level of your ASA and perhaps share the current NAT configuration with the following commands
Software level 8.2 or below
show run global
show run nat
show run static
Software level 8.3 or above
show run nat
Hi Jouni -
Running 9.1(1) software
Here's the result of sh run nat for the affected server
Result of the command: "sh run nat"
nat (inside,outside) source static local_nets local_nat_pool destination static monitoring_network monitoring_network
object network obj_any
nat (inside,outside) dynamic interface
object network webserverhttp
nat (inside,outside) static interface service tcp www www
object network webserverhttps
nat (inside,outside) static interface service tcp https https
object network webservervsftp
nat (inside,outside) static interface service tcp ftp ftp
object network Infotechssh
nat (inside,outside) static interface service tcp ssh ssh
You could try the following configurations. Insert the public IP address to the below configurations that matches your current "outside" interface public IP address.
object network LAN
subnet 192.168.1.0 255.255.255.0
object network SERVER-SSH
object network SERVER-WEB
object network SERVER-PUBLIC
object service WWW
service tcp destination eq 80
object service HTTPS
service tcp destination eq 443
object service SSH
service tcp destination eq 22
nat (inside,inside) after-auto source dynamic LAN interface destination static SERVER-PUBLIC SERVER-SSH service SSH SSH
nat (inside,inside) after-auto source dynamic LAN interface destination static SERVER-PUBLIC SERVER-WEB service WWW WWW
nat (inside,inside) after-auto source dynamic LAN interface destination static SERVER-PUBLIC SERVER-WEB service HTTPS HTTPS
This should essentially do so that when connections are coming from the network LAN towards the SERVER-PUBLIC with the services SSH, WWW or HTTPS then the connections will actually be forwarded to the local SERVER-SSH or SERVER-WEB.
Also the LAN users address will be mapped to the "inside" interface IP address (with the "source dynamic LAN interface" configuration) so that the servers actually think the connections are coming from the ASA IP. This is essential in this configuration as otherwise the traffic flow wont be correct for the ASA. What I mean is that the ASA would not see the whole "conversation" between the host and server without this type of NAT configuration and would block the connections.
Let me know if this works for you
Please do remember to mark a reply as the correct answer if it answered your question.
Feel free to ask more if needed though.
You just forgot to add the same-security-traffic permit intra-interface command to allow the U turn
Can you provide what the full statement should be? Following JouniForss it looked like packets would be allowed but then the same issue occurred. Thanks!
Yes, the command mentioned by Jumora was missing from my examples
same-security-traffic permit intra-interface
Otherwise the configurations I mentioned regarding "nat" should work unless other NAT configurations prevent that.
You could use "packet-tracer" to test the configurations. For example
packet-tracer input inside tcp 192.168.1.100 12345
The output should tell us what happens regarding the configurations.
Still getting an error for routing with no route to host. Routes are as follow -
Result of the command: "sh route"
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is PUB GATEWAY to network 0.0.0.0
C 192.168.1.0 255.255.255.0 is directly connected, inside
C PUB NETWORK 255.255.255.0 is directly connected, outside
S* 0.0.0.0 0.0.0.0 [10/0] via PUB GATEWAY, outside
Can you post the output of the "packet-tracer" anyway
Could you also post the current "nat" configuration with the command
show run nat