Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
469
Views
0
Helpful
7
Replies

ASA 5510. Two NATed device ping each other on the mapped/global IP

Go to solution
Difan Zhao
Level 5
Level 5

‎09-16-2009 01:13 PM - edited ‎03-11-2019 09:16 AM

Hello,

I have a scenario that requires two internal servers to be able to reach each other on the global IPs. Let's say they have internal IP 10.0.0.x and 10.0.0.y and they are mapped to 1.1.1.x and 1.1.1.y. As you can see no matter on the internal network, or external network, they belong to the same IP range. The NAT is done on the same device. Is there a way 10.0.0.x can ping 1.1.1.y and 10.0.0.y can ping 1.1.1.x? I somehow can't make it work. I have a fairly long configuration so it's not easy to paste it all here. Could anybody please do an experiment and let me know the necessary config? BTW it's not ACL reason because I have tried to put "permit any any" on the outside interface but doesn't help... Thanks!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
w-schultz
Level 1
Level 1
In response to Difan Zhao

‎09-16-2009 08:46 PM

Developers hardcoding IP addresses should be talked sternly to. ;-p

You could try using a static if all else fails, I've used something similar in the past with success.

!

same-security-traffic permit intra-interface

!

static (inside,inside) 99.99.99.100 192.168.1.100 netmask 255.255.255.255

!

192.168.1.100 being the inside address

99.99.99.100 being the public address

Essentially it should look identical to your current 'static (inside,outside)' command with the exception of it being 'static (inside,inside)'

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Difan Zhao
Level 5
Level 5
In response to Collin Clark

‎09-16-2009 03:30 PM

Hey Collin thanks for quick reply! However my case is that two servers are both on the "inside" interface. So it's kind of like "in and out" on the same interface... Is this supported by ASA appliance? Thanks!

0 Helpful

Go to solution
w-schultz
Level 1
Level 1
In response to Difan Zhao

‎09-16-2009 04:11 PM

Listening to your question leads me to believe that you have a server that has a public address sitting on your local lan and DNS queries are being returned from outside of the firewall.

If this is the case you can 'doctor' your DNS queries with the alias command. It's an old command from the pix days that disappeared and seems to be back now, even though ASDM doesn't know what it is.

An example of the alias command:

alias (inside) 192.168.1.100 99.99.99.100 255.255.255.255

Another option would be to build some statics and permit intra-interface traffic.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968d1.shtml

Good luck.

0 Helpful

Go to solution
Difan Zhao
Level 5
Level 5
In response to w-schultz

‎09-16-2009 07:51 PM

Thanks for reply! Actually I can check with our server team and see if they can use DNS server. However I am sure that now they use IP address only. So two servers, even they have internal 10.x.x.x IP addresses and reside on the same LAN, however they still need to talk to each other on their NATed IP addresses (Don't ask me why... I feel weird too...)

0 Helpful

Go to solution
w-schultz
Level 1
Level 1
In response to Difan Zhao

‎09-16-2009 08:46 PM

Developers hardcoding IP addresses should be talked sternly to. ;-p

You could try using a static if all else fails, I've used something similar in the past with success.

!

same-security-traffic permit intra-interface

!

static (inside,inside) 99.99.99.100 192.168.1.100 netmask 255.255.255.255

!

192.168.1.100 being the inside address

99.99.99.100 being the public address

Essentially it should look identical to your current 'static (inside,outside)' command with the exception of it being 'static (inside,inside)'

0 Helpful

Go to solution
Difan Zhao
Level 5
Level 5
In response to w-schultz

‎09-17-2009 07:38 AM

Thank you w-schultz It worked! It's amazing that you can make it work this way lol. But before I let you go, one more question. I thought it should be

static (inside,inside) 192.168.1.100 99.99.99.100 netmask 255.255.255.255

So when the ASA sees a traffic with destination of the public IP, it will be mapped to an internal IP again. Why do you still put public IP at the first "mapped IP" field? Could you use plain English to explain a little bit? I always get confused about these NATing rules... Thanks a lot!

0 Helpful

Go to solution
Collin Clark
VIP Alumni
VIP Alumni
In response to Difan Zhao

‎09-17-2009 05:33 AM

If Server1 is trying to communicate with Server2 by using it's public IP, the link above will work.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card