08-14-2014 06:32 AM - edited 03-11-2019 09:38 PM
Hi Experts..
I have users sitting on inside and they are trying to access a DMZ server with its outside(public) ip (X.X.X.191) which is static nat but they are unable to reach server. I have allowed same security permit traffic inter & intra interface. ALso have disable spoofing. Still unable to reach. Pls help me out.
object network obj-ANY
nat (inside,outside) dynamic interface
object network obj-ftp-server
nat (dmz,outside) static X.X.X.191
08-14-2014 07:06 AM
Have you permitted traffic same-security intra-interface?
If so, and it's still not working, please run:
packet-tracer input inside tcp [user ip address] 1025 x.x.x.191 [server port]
...and share the output
08-14-2014 07:40 AM
Hi.. Currently i am trying to ping this server outside ip to check reachability, here is logs.
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in X.X.X.0 255.255.255.0 outside
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group IN in interface inside
access-list IN extended permit icmp any4 any4
access-list IN remark Allow Domain for Entire Network
Additional Information:
Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
object network obj_any
nat (inside,outside) dynamic interface
Additional Information:
Dynamic translate 192.168.110.38/0 to X.X.X.5/18216
Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:
Phase: 8
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type:
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 10
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:
Phase: 11
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 12
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 13
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:
Phase: 14
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 160797423, packet dispatched to next module
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
08-14-2014 07:42 AM
Hi.. Currently i am trying to ping this server outside ip to check reachability, here is logs.
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in X.X.X.0 255.255.255.0 outside
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group IN in interface inside
access-list IN extended permit icmp any4 any4
access-list IN remark Allow Domain for Entire Network
Additional Information:
Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
object network obj_any
nat (inside,outside) dynamic interface
Additional Information:
Dynamic translate 192.168.110.38/0 to X.X.X.5/18216
Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:
Phase: 8
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type:
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 10
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:
Phase: 11
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 12
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 13
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:
Phase: 14
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 160797423, packet dispatched to next module
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
08-14-2014 07:48 AM
Hi.. Currently i am trying to ping this server outside ip to check reachability, here is logs.
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in X.X.X.0 255.255.255.0 outside
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group IN in interface inside
access-list IN extended permit icmp any4 any4
access-list IN remark Allow Domain for Entire Network
Additional Information:
Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
object network obj_any
nat (inside,outside) dynamic interface
Additional Information:
Dynamic translate 192.168.110.38/0 to X.X.X.5/18216
Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:
Phase: 8
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type:
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 10
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:
Phase: 11
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 12
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 13
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:
Phase: 14
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 160797423, packet dispatched to next module
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
08-14-2014 07:11 AM
This problem has to be solved by manipulating DNS in a way that the internal users resolve the DMZ-server to the real address instead of the translated address. The users have to access the server by FQDN and not by IP-address.
There are two common ways to get that working:
object network obj-ftp-server
nat (dmz,outside) static X.X.X.191 dns
08-14-2014 08:25 AM
Hi,
Users need to test some application running on this server, so they need to check this using only outside ip, so pls how could it work. We are running ASA in HA.
08-14-2014 08:52 AM
That can be done with some dirty NAT-tricks; but really, you don't wan't to do that ... ;-) That's what DNS is for.
08-14-2014 09:21 AM
Hi, since i have denied request to this server local ip from inside so i believe DNS option wouldn't work after adding DNS statement.
Could you share this tricky nat satament to achieve communication through outside ip.
08-14-2014 12:53 PM
> Hi, since i have denied request to this server local ip from inside so i believe DNS option wouldn't work after adding DNS statement.
It will work because in that case you connect to the real IP of the server and not to the translated outside NAT-address.
I don't have a working config for the workaround, but it was discussed on the supportforum before. With a little bit searching you will probably find it.
08-15-2014 04:56 AM
Hi..
I did try adding DNS in NAT statement, after adding it when i tried pinging this server with its name it was resolving server DMZ ip not outside nat ip. Since as i said above that there is no communication between inside to this server DMZ ip, so i was unable to reach it.
08-15-2014 05:08 AM
what is the packet-tracer output when you use the real IP?
08-15-2014 05:32 AM
hi..
As i said, i have made communication dney to this serve real ip from inside through ACL as my organization asked me so. This server can be accessible through outside NAT ip only.
So if adding DNS in NAT statement would cause server name to be resolved with real ip only, then how could we connect it.
Also my client who are accessing this server over internet can also be unable to reach it as server name resolve real ip.
Thats why i am looking for solution which can make this server communication through outside nat ip.
08-15-2014 05:56 AM
If you want to communicate with that server you have to allow it! And as the server ha a specific IP you have to allow the communication to that IP. For your external users, they have to access the server with the public IP.
08-15-2014 06:33 AM
Thanks karsten for your help.. i need to coordinate with my seniors on this matter, also will look for workaround which can make communication using outside ip, if you can share that will be appreciable.
On the other hand, could you pls tell me that why i can not reach server outside nat ip from inside, why ASA is not permitting it, actually i need to justify this to my seniors.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide