cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
463
Views
5
Helpful
4
Replies

ASA 5505 web servers not accessable internally

maver1ck4000
Level 1
Level 1

We have some web servers set up internally, I have NAT configured and they are working if you type in a domain URL from an external network, but if you type in the same domain URL on a computer in the internal network, it throws a "portmap translation" error. Does anyone know what causes this? I have gotten it to stop giving me an error when I mess around with the NAT settings but the page will never parse.

More info on the connections, right now we have 2 WAN connections, one is for internal DHCP clients inside - outside, and one is a faster connections outside - inside for the web servers.

We have a block of 13 statics on both connections, but only the T1 connection is using more than one. Thanks for any advice you can provide, and yes my config is messy, and my ACLs are goofy, but I spent my weekend learning this stuff.

ATTACHED CONFIG: Result of the command: "show running-config"

1 Accepted Solution

Accepted Solutions

from inside you are accessing your own public webserver but the request is pointing to public IP , try hairpining solution on same page assuming 192.168.1.100 is the webserver in interface inside.

same-security-traffic permit intra-interface

static (inside,inside) xxx.xxx.123.197 192.168.1.100

Jorge Rodriguez

View solution in original post

4 Replies 4

JORGE RODRIGUEZ
Level 10
Level 10

Read this link, there are couple of sulutions here, one being DNS doctoring.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968d1.shtml

HTH

Jorge

Jorge Rodriguez

I went through and looked at that some, but it's not helping my problems any. I got to the point where it's timing out now instead of being completely dropped, but I still can't pull up a web page. Kind of frustrating to be so close.

from inside you are accessing your own public webserver but the request is pointing to public IP , try hairpining solution on same page assuming 192.168.1.100 is the webserver in interface inside.

same-security-traffic permit intra-interface

static (inside,inside) xxx.xxx.123.197 192.168.1.100

Jorge Rodriguez

At first I didn't think it was working, I went back through in CLI and cleaned out all my NAT stuff and started fresh. The hairpining solution worked! Here is what I did.

Since I have 3 interfaces I had to set up two separate NAT's for each.

same-security-traffic permit intra-interface

static (inside,inside) xxx.xxx.123.197 192.168.1.100

was only the beginning

What I have is a little different since it's not really a DMZ, it's 2 WAN connections, but I kind of treated my T1 line as a DMZ even though the ASA doesn't see it as such.

The biggest thing I think was adding the

global (inside) 1 interface

along with

global (Cable) 1 interface

Interface names:

outside = cable

inside = inside

dmzish = T1

Two entries are needed in NAT for internal:

static (inside,Cable) xxx.xxx.123.197 192.168.1.100 netmask 255.255.255.255

static (inside,inside) xxx.xxx.123.197 192.168.1.100 netmask 255.255.255.255

and one for external:

static (inside,T1) xxx.xxx.123.197 192.168.1.100 netmask 255.255.255.255

Thank you to everyone who helped out, this was a tough one for me being a beginner, now I have a very good understanding of NAT :)

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: