Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

ASA 5505 web servers not accessable internally

We have some web servers set up internally, I have NAT configured and they are working if you type in a domain URL from an external network, but if you type in the same domain URL on a computer in the internal network, it throws a "portmap translation" error. Does anyone know what causes this? I have gotten it to stop giving me an error when I mess around with the NAT settings but the page will never parse.

More info on the connections, right now we have 2 WAN connections, one is for internal DHCP clients inside - outside, and one is a faster connections outside - inside for the web servers.

We have a block of 13 statics on both connections, but only the T1 connection is using more than one. Thanks for any advice you can provide, and yes my config is messy, and my ACLs are goofy, but I spent my weekend learning this stuff.

ATTACHED CONFIG: Result of the command: "show running-config"

1 ACCEPTED SOLUTION

Accepted Solutions

Re: ASA 5505 web servers not accessable internally

from inside you are accessing your own public webserver but the request is pointing to public IP , try hairpining solution on same page assuming 192.168.1.100 is the webserver in interface inside.

same-security-traffic permit intra-interface

static (inside,inside) xxx.xxx.123.197 192.168.1.100

4 REPLIES

Re: ASA 5505 web servers not accessable internally

Read this link, there are couple of sulutions here, one being DNS doctoring.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968d1.shtml

HTH

Jorge

New Member

Re: ASA 5505 web servers not accessable internally

I went through and looked at that some, but it's not helping my problems any. I got to the point where it's timing out now instead of being completely dropped, but I still can't pull up a web page. Kind of frustrating to be so close.

Re: ASA 5505 web servers not accessable internally

from inside you are accessing your own public webserver but the request is pointing to public IP , try hairpining solution on same page assuming 192.168.1.100 is the webserver in interface inside.

same-security-traffic permit intra-interface

static (inside,inside) xxx.xxx.123.197 192.168.1.100

New Member

Re: ASA 5505 web servers not accessable internally

At first I didn't think it was working, I went back through in CLI and cleaned out all my NAT stuff and started fresh. The hairpining solution worked! Here is what I did.

Since I have 3 interfaces I had to set up two separate NAT's for each.

same-security-traffic permit intra-interface

static (inside,inside) xxx.xxx.123.197 192.168.1.100

was only the beginning

What I have is a little different since it's not really a DMZ, it's 2 WAN connections, but I kind of treated my T1 line as a DMZ even though the ASA doesn't see it as such.

The biggest thing I think was adding the

global (inside) 1 interface

along with

global (Cable) 1 interface

Interface names:

outside = cable

inside = inside

dmzish = T1

Two entries are needed in NAT for internal:

static (inside,Cable) xxx.xxx.123.197 192.168.1.100 netmask 255.255.255.255

static (inside,inside) xxx.xxx.123.197 192.168.1.100 netmask 255.255.255.255

and one for external:

static (inside,T1) xxx.xxx.123.197 192.168.1.100 netmask 255.255.255.255

Thank you to everyone who helped out, this was a tough one for me being a beginner, now I have a very good understanding of NAT :)

205
Views
5
Helpful
4
Replies
CreatePlease to create content