This problem has to be solved - Cisco Community

516

Views

0

Helpful

18

Replies

Hi Experts..

I have users sitting on inside and they are trying to access a DMZ server with its outside(public) ip (X.X.X.191) which is static nat but they are unable to reach server. I have allowed same security permit traffic inter & intra interface. ALso have disable spoofing. Still unable to reach. Pls help me out.

object network obj-ANY
nat (inside,outside) dynamic interface

object network obj-ftp-server
nat (dmz,outside) static X.X.X.191

18 Replies 18

Have you permitted traffic same-security intra-interface?

If so, and it's still not working, please run:

packet-tracer input inside tcp [user ip address] 1025 x.x.x.191 [server port]

...and share the output

Hi.. Currently i am trying to ping this server outside ip to check reachability, here is logs.

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in X.X.X.0 255.255.255.0 outside

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group IN in interface inside
access-list IN extended permit icmp any4 any4
access-list IN remark Allow Domain for Entire Network
Additional Information:

Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
object network obj_any
nat (inside,outside) dynamic interface
Additional Information:
Dynamic translate 192.168.110.38/0 to X.X.X.5/18216

Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:

Phase: 8
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type:
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 10
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:

Phase: 11
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 12
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 13
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:

Phase: 14
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 160797423, packet dispatched to next module

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

Hi.. Currently i am trying to ping this server outside ip to check reachability, here is logs.

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in X.X.X.0 255.255.255.0 outside

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group IN in interface inside
access-list IN extended permit icmp any4 any4
access-list IN remark Allow Domain for Entire Network
Additional Information:

Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
object network obj_any
nat (inside,outside) dynamic interface
Additional Information:
Dynamic translate 192.168.110.38/0 to X.X.X.5/18216

Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:

Phase: 8
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type:
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 10
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:

Phase: 11
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 12
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 13
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:

Phase: 14
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 160797423, packet dispatched to next module

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

Hi.. Currently i am trying to ping this server outside ip to check reachability, here is logs.

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in X.X.X.0 255.255.255.0 outside

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group IN in interface inside
access-list IN extended permit icmp any4 any4
access-list IN remark Allow Domain for Entire Network
Additional Information:

Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
object network obj_any
nat (inside,outside) dynamic interface
Additional Information:
Dynamic translate 192.168.110.38/0 to X.X.X.5/18216

Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:

Phase: 8
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type:
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 10
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:

Phase: 11
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 12
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 13
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:

Phase: 14
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 160797423, packet dispatched to next module

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

This problem has to be solved by manipulating DNS in a way that the internal users resolve the DMZ-server to the real address instead of the translated address. The users have to access the server by FQDN and not by IP-address.

There are two common ways to get that working:

DNS-Doctoring on the ASA.
For that you just add the keyword "dns" to your nat-statement:
object network obj-ftp-server nat (dmz,outside) static X.X.X.191 dns
Add the FQDN of the server to your internal DNS.

Hi,

Users need to test some application running on this server, so they need to check this using only outside ip, so pls how could it work. We are running ASA in HA.

That can be done with some dirty NAT-tricks; but really, you don't wan't to do that ... ;-) That's what DNS is for.

Hi, since i have denied request to this server local ip from inside so i believe DNS option wouldn't work after adding DNS statement.

Could you share this tricky nat satament to achieve communication through outside ip.

> Hi, since i have denied request to this server local ip from inside so i believe DNS option wouldn't work after adding DNS statement.

It will work because in that case you connect to the real IP of the server and not to the translated outside NAT-address.

I don't have a working config for the workaround, but it was discussed on the supportforum before. With a little bit searching you will probably find it.

Hi..

I did try adding DNS in NAT statement, after adding it when i tried pinging this server with its name it was resolving server DMZ ip not outside nat ip. Since as i said above that there is no communication between inside to this server DMZ ip, so i was unable to reach it.

what is the packet-tracer output when you use the real IP?

hi..

As i said, i have made communication dney to this serve real ip from inside through ACL as my organization asked me so. This server can be accessible through outside NAT ip only.

So if adding DNS in NAT statement would cause server name to be resolved with real ip only, then how could we connect it.

Also my client who are accessing this server over internet can also be unable to reach it as server name resolve real ip.

Thats why i am looking for solution which can make this server communication through outside nat ip.

If you want to communicate with that server you have to allow it! And as the server ha a specific IP you have to allow the communication to that IP. For your external users, they have to access the server with the public IP.

Thanks karsten for your help.. i need to coordinate with my seniors on this matter, also will look for workaround which can make communication using outside ip, if you can share that will be appreciable.

On the other hand, could you pls tell me that why i can not reach server outside nat ip from inside, why ASA is not permitting it, actually i need to justify this to my seniors.

Learn, share, save

Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.

New here? Get started with these tips. How to use Community New member guide

Log in to Community

Review Cisco Networking products for a $25 gift card