Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

inside to outside ip

 

 Hi Experts..

 

I have users sitting on inside and they are trying to access a DMZ server with its outside(public) ip (X.X.X.191) which is static nat but they are unable to reach server. I have allowed same security permit traffic inter & intra interface. ALso have disable spoofing. Still unable to reach. Pls help me out.

 

object network obj-ANY
 nat (inside,outside) dynamic interface

 

object network obj-ftp-server
 nat (dmz,outside) static X.X.X.191

 



 

18 REPLIES
Hall of Fame Super Silver

Have you permitted traffic

Have you permitted traffic same-security intra-interface?

If so, and it's still not working, please run:

packet-tracer input inside tcp [user ip address] 1025 x.x.x.191 [server port]

...and share the output

New Member

 Hi.. Currently i am trying

 

Hi.. Currently i am trying to ping this server outside ip to check reachability, here is logs.

 

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   X.X.X.0   255.255.255.0   outside

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group IN in interface inside
access-list IN extended permit icmp any4 any4
access-list IN remark Allow Domain for Entire Network
Additional Information:

Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
object network obj_any
 nat (inside,outside) dynamic interface
Additional Information:
Dynamic translate 192.168.110.38/0 to X.X.X.5/18216

Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
 match default-inspection-traffic
policy-map global_policy
 class inspection_default
  inspect icmp
service-policy global_policy global
Additional Information:

Phase: 8
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type:
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 10
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:

Phase: 11
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 12
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 13
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:

Phase: 14
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 160797423, packet dispatched to next module

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

New Member

 Hi.. Currently i am trying

 

Hi.. Currently i am trying to ping this server outside ip to check reachability, here is logs.

 

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   X.X.X.0   255.255.255.0   outside

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group IN in interface inside
access-list IN extended permit icmp any4 any4
access-list IN remark Allow Domain for Entire Network
Additional Information:

Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
object network obj_any
 nat (inside,outside) dynamic interface
Additional Information:
Dynamic translate 192.168.110.38/0 to X.X.X.5/18216

Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
 match default-inspection-traffic
policy-map global_policy
 class inspection_default
  inspect icmp
service-policy global_policy global
Additional Information:

Phase: 8
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type:
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 10
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:

Phase: 11
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 12
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 13
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:

Phase: 14
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 160797423, packet dispatched to next module

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

New Member

 Hi.. Currently i am trying

 

Hi.. Currently i am trying to ping this server outside ip to check reachability, here is logs.

 

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   X.X.X.0   255.255.255.0   outside

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group IN in interface inside
access-list IN extended permit icmp any4 any4
access-list IN remark Allow Domain for Entire Network
Additional Information:

Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
object network obj_any
 nat (inside,outside) dynamic interface
Additional Information:
Dynamic translate 192.168.110.38/0 to X.X.X.5/18216

Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
 match default-inspection-traffic
policy-map global_policy
 class inspection_default
  inspect icmp
service-policy global_policy global
Additional Information:

Phase: 8
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type:
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 10
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:

Phase: 11
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 12
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 13
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:

Phase: 14
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 160797423, packet dispatched to next module

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

VIP Purple

This problem has to be solved

This problem has to be solved by manipulating DNS in a way that the internal users resolve the DMZ-server to the real address instead of the translated address. The users have to access the server by FQDN and not by IP-address.

There are two common ways to get that working:

  1. DNS-Doctoring on the ASA.
    For that you just add the keyword "dns" to your nat-statement:

    object network obj-ftp-server
     nat (dmz,outside) static X.X.X.191 dns

  2. Add the FQDN of the server to your internal DNS.
New Member

 Hi,Users need to test some

 

Hi,

Users need to test some application running on this server, so they need to check this using only outside ip, so pls how could it work. We are running ASA in HA.

VIP Purple

That can be done with some

That can be done with some dirty NAT-tricks; but really, you don't wan't to do that ... ;-) That's what DNS is for.

New Member

Hi, since i have denied

Hi, since i have denied request to this server local ip from inside so i believe DNS option wouldn't work  after adding DNS statement.

Could you share this tricky nat satament to achieve communication through outside ip.

VIP Purple

> Hi, since i have denied

Hi, since i have denied request to this server local ip from inside so i believe DNS option wouldn't work  after adding DNS statement.

It will work because in that case you connect to the real IP of the server and not to the translated outside NAT-address.

I don't have a working config for the workaround, but it was discussed on the supportforum before. With a little bit searching you will probably find it.

New Member

Hi..I did try adding DNS in

Hi..

I did try adding DNS in NAT statement, after adding it when  i tried pinging this server with its name it was resolving server DMZ ip not outside nat ip. Since as i said above that there is no communication between inside to this server DMZ ip, so i was unable to reach it.

VIP Purple

what is the packet-tracer

what is the packet-tracer output when you use the real IP?

New Member

hi..As i said, i have made

hi..

As i said, i have made communication dney  to this serve real ip from inside through ACL as my organization asked me so. This server can be accessible through outside NAT ip only.

So if adding DNS in NAT statement  would cause server name to be resolved with real ip only, then how could we connect it.

Also my client who are accessing this server over internet can also be unable to reach it as server name resolve real ip.

 

Thats why i am looking for solution which can make this server communication through outside nat ip.

VIP Purple

If you want to communicate

If you want to communicate with that server you have to allow it! And as the server ha a specific IP you have to allow the communication to that IP. For your external users, they have to access the server with the public IP.

New Member

Thanks karsten for your help.

Thanks karsten for your help.. i need to coordinate with my seniors on this matter, also will look for workaround which can make communication using outside ip, if you can share that will be appreciable.

On the other hand, could you pls tell me that why i can not reach server outside nat ip from inside, why ASA is not permitting it, actually i need to justify this to my seniors.

New Member

Thanks Karsten for your help,

Thanks Karsten for your help, i will be coordinating with my seniors on this, and will look for workaround to make communication through outside nat ip, if you can help me on this that will be highly appreciable.

Also could you tell me why i can not reach outside nat ip from indise, why ASA is denying it. What could be the reason, Actually i need to justify this to my seniors.

VIP Purple

> Also could you tell me why

Also could you tell me why i can not reach outside nat ip from indise, why ASA is denying it. What could be the reason, Actually i need to justify this to my seniors.

It's the way the ASA works internally. Generalized: When the ASA sees the public IP it decides to route the Packet to the outside interface. And then it's too late for a new decision that the destination is actually on a different interface. The workaround is to NAT on the destination because that decision is done earlier. But that's not the right way to use the ASA.

New Member

Thanks Karsten, i have

Thanks Karsten, i have started searching config example for this workaround, it would be very greatful and appreciated if you can share  this.

New Member

Hi.. I did try to explore NAT

Hi.. I did try to explore NAT configuration for this problem to could not get successful. Pls help me out sharing config fo this.

107
Views
0
Helpful
18
Replies
CreatePlease to create content