Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
652
Views
0
Helpful
4
Replies

Fix deny IP spoof from x.226 to y.233

Go to solution
tr_onlinepos_dk
Level 1
Level 1

‎05-22-2018 12:52 AM - edited ‎02-21-2020 07:47 AM

Hi

 

We have an ISP connection with 2 scopes

x.224/30 and y.232/29

The /30 range is our public outside IP and the incoming /29 traffic is routed to x.226 by the ISP

 

We have a server on one of the /29 IP's with public DNS assigned.

When i try to access the DNS IP the firewall generates an Deny IP spoof error.

I guess that the problem is that the traffic is routed to the outside x.226/30 interface and then tryes to enter the outside again using an NAT rule - (Everything works when traffic originates outside the house)

 

I have made an solution where i have an inside DNS server that gives the clients the correct inside IP, but i would rather avoid that because of .....

 

What would be the correct solution to this problem ?

 

Best regards

Teddy

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Bogdan Nita
VIP Alumni
VIP Alumni

‎05-22-2018 06:20 AM - edited ‎05-28-2018 03:00 AM

Hi Teddy,

 

If I understand correctly you are trying to reach a public IP assigned/nated on the outside interface from inside. In that case you could have a NAT in place similar to this one:

 

same-security-traffic permit intra-interface
!
object network Public_Server
host x.x.x.x
!
object network Internal_Server
host x.x.x.x
!
nat (INSIDE,INSIDE) source dynamic any interface destination static Public_Server  Internal_Server

 

HTH

Bogdan

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Bogdan Nita
VIP Alumni
VIP Alumni

‎05-22-2018 06:20 AM - edited ‎05-28-2018 03:00 AM

Hi Teddy,

 

If I understand correctly you are trying to reach a public IP assigned/nated on the outside interface from inside. In that case you could have a NAT in place similar to this one:

 

same-security-traffic permit intra-interface
!
object network Public_Server
host x.x.x.x
!
object network Internal_Server
host x.x.x.x
!
nat (INSIDE,INSIDE) source dynamic any interface destination static Public_Server  Internal_Server

 

HTH

Bogdan

0 Helpful

Go to solution
tr_onlinepos_dk
Level 1
Level 1
In response to Bogdan Nita

‎05-28-2018 02:30 AM

Thanks for the reply and sorry for the slow response.

 

I failed to mention that the server is located on another inside interface.

 

Would it only be a matter of changing the nat rule "nat (INSIDE,INSIDESERVER)" to reflect the correct names ?

 

And a side question:

You create 2 network object hosts named Public_server and internal_server - These are not used in the nat rule, so can these be omitted or what is the reason for them?

0 Helpful

Go to solution
Bogdan Nita
VIP Alumni
VIP Alumni
In response to tr_onlinepos_dk

‎05-28-2018 03:02 AM

Yes, if the server is on a different interface the nat should be adapted as you indicated.

I have created object Public_Server, but then I went on to use the name Public_IP in the nat. I have corrected the error in my initial reply. Should be ok now.

0 Helpful

Go to solution
tr_onlinepos_dk
Level 1
Level 1
In response to Bogdan Nita

‎05-28-2018 11:50 PM

Many thanks

- It worked like a charm

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card