Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1204
Views
0
Helpful
9
Replies

New Issues??

Go to solution
pskipton01
Level 1
Level 1

‎10-23-2010 04:59 PM - edited ‎03-11-2019 11:59 AM

I have the outside network

24.222.224.220

I have the inside network I am on now,

192.168.1.0 network

I have another network with servers on it

192.168.5.0 network

I can his the servers on 192.168.5.0 network from anywhere but the inside network 192.168.1.0

I have given the servers with 24.222.224.220 outside ip works from anywhere else but the inside network I am on and I am trying to hit it by IP for now DNS later.

I can hit any poutside internet service from either internaletwork.

Any Ideas I will post config if needed.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
praprama
Cisco Employee
Cisco Employee
In response to pskipton01

‎10-25-2010 12:36 AM

Hi Perry,

So what do the DNS responses contain? I am assuming that they respons with the public IP address of the server which is 24.222.224.220.

So in such a case, add the below commands and then you should have communication as you need:


object network obj-192.168.5.100-www-1

nat (test,inside) static 24.222.224.220 service tcp www www


object  network obj-192.168.5.100-ftp-1
nat (test,inside) static  24.222.224.220 service tcp ftp ftp


object network  obj-192.168.5.101-8080-1
nat (test,inside) static 24.222.224.220  service tcp 8080 8080

So, basically we are creating static for the "inside" interface now. Now from the "inside", users should be able to access the server using their public IP address 24.222.224.220.

Also, another command you will need because both "inside" and "test" are of the same security level is

same-security-traffic permit inter-interface

Also, if you have an access-list on the "inside" interface, please add the necessary entries to allow communication to the "test" servers using the public IP addresses.

Let me know if this helps!!

Thanks and Regards,

Prapanch

View solution in original post

0 Helpful
9 Replies 9

Go to solution
praprama
Cisco Employee
Cisco Employee

‎10-23-2010 05:30 PM

Hi Perry,

I am assuming that your topology is something like this:

192.168.1.0/24----------------(inside)ASA(outside)----------INTERNET

192.168.5.0/25

You have static translations for servers (in specofic for 192.168.5.1) on the outside in the format below:

static (inside,outside) 24.222.224.221 192.158.5.1

Now when you try and access the 192.168.5.1 server using the public IP of 24.222.224.221, you are not able to do that. To enable this you will need 3 things.

1) static (inside,inside) 24.222.224.221 192.158.5.1 norandomseq nailed

2) failover timeout -1

3) same-security-traffic permit intra-interface

This should let you access the servers using the public IPs.

In the above case, both the inside LAN and the SERVER network are reachable through the "inside" interface on the firewall and the 192.168.5.0/24 is reachabe through an intermediate hop(router). Let me know if this indeed is the case or if it's different?

Thanks and Regards,

Prapanch

0 Helpful

Go to solution
Maykol Rojas
Cisco Employee
Cisco Employee
In response to praprama

‎10-23-2010 06:23 PM

Hello,

We cannot assume that the servers are on the inside, depending on the scenario and the DNS server is we can apply some workarounds like the already mentioned.

You can take a look at the following document for reference

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968c8.shtml#solution2

Hope it helps

Mike

Mike
0 Helpful

Go to solution
pskipton01
Level 1
Level 1
In response to Maykol Rojas

‎10-23-2010 07:16 PM

Here are the networks;

show run nat
object network 192.168.1.0
nat (inside,outside) dynamic interface dns
object network 192.168.5.0
nat (test,outside) dynamic interface dns
object network obj-192.168.5.100-www
nat (test,outside) static 24.222.224.220 service tcp www www
object network obj-192.168.5.100-ftp
nat (test,outside) static 24.222.224.220 service tcp ftp ftp
object network obj-192.168.5.101-8080
nat (test,outside) static 24.222.224.220 service tcp 8080 8080

show run object
object network 192.168.1.0
subnet 0.0.0.0 0.0.0.0
object network 192.168.5.0
subnet 192.168.5.0 255.255.255.0
object network obj-192.168.5.100-www
host 192.168.5.100
object network obj-192.168.5.100-ftp
host 192.168.5.100
object network obj-192.168.5.101-8080
host 192.168.5.101
object service tcp-8080
service tcp source eq 8080 destination eq 8080

show run access-list
access-list outside_access_in extended permit tcp any host 192.168.5.100 eq www
access-list outside_access_in extended permit tcp any host 192.168.5.100 eq ftp
access-list outside_access_in extended permit tcp any host 192.168.5.101 eq 8080
access-list outsidein standard permit 192.168.1.0 255.255.255.0
access-list outsidein standard permit 192.168.5.0 255.255.255.0

Maybe this gives a better idea of how its setup now.

1) static (inside,inside) 24.222.224.221 192.158.5.1 norandomseq nailed (Could you explain this line a bit)

2) failover timeout -1 (I have no Failover device is this required?)

3) same-security-traffic permit intra-interface (ok I have seen this before)

Thanks in advance for any more help you could give.

0 Helpful

Go to solution
Maykol Rojas
Cisco Employee
Cisco Employee
In response to pskipton01

‎10-23-2010 07:28 PM

Hello Perry,

Thats the point I wanted to make, those lines posted are not going to work because you are in 8.3 and NAT is handled different, please let me know the following information

What is the security level for the inside host?

In which interface are the servers located?

What is the security level for that interface?

Where is the DNS server?

With this information I will be able to suggest an example of how you will need to set this access

Cheers

Mike

Mike
0 Helpful

Go to solution
pskipton01
Level 1
Level 1
In response to Maykol Rojas

‎10-24-2010 03:45 AM

Inside network sec level 100

test network sec level 100, servers on this network outside ip 24.222.224.220

outside sec level 0 24.222.224.222

DNS is outside the system 24.222.0.96 and 97

want to be able to talk to test network through from inside out through outside and back into test.

AT this time cannot even do it by the test outside ip which is 24.222.224.220

the outside ip 24.222.224.222

0 Helpful

Go to solution
Maykol Rojas
Cisco Employee
Cisco Employee
In response to pskipton01

‎10-24-2010 02:22 PM

If your inside hosts are using those external DNS servers, please put the keyword "dns" at the end of the translations for the server, that will allow the ASA to do DNS rewrite

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968d1.shtml

Thanks

Mike
0 Helpful

Go to solution
praprama
Cisco Employee
Cisco Employee
In response to pskipton01

‎10-25-2010 12:36 AM

Hi Perry,

So what do the DNS responses contain? I am assuming that they respons with the public IP address of the server which is 24.222.224.220.

So in such a case, add the below commands and then you should have communication as you need:


object network obj-192.168.5.100-www-1

nat (test,inside) static 24.222.224.220 service tcp www www


object  network obj-192.168.5.100-ftp-1
nat (test,inside) static  24.222.224.220 service tcp ftp ftp


object network  obj-192.168.5.101-8080-1
nat (test,inside) static 24.222.224.220  service tcp 8080 8080

So, basically we are creating static for the "inside" interface now. Now from the "inside", users should be able to access the server using their public IP address 24.222.224.220.

Also, another command you will need because both "inside" and "test" are of the same security level is

same-security-traffic permit inter-interface

Also, if you have an access-list on the "inside" interface, please add the necessary entries to allow communication to the "test" servers using the public IP addresses.

Let me know if this helps!!

Thanks and Regards,

Prapanch

0 Helpful

Go to solution
pskipton01
Level 1
Level 1
In response to praprama

‎10-25-2010 09:46 AM

Seems this configuration works.

interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 24.222.224.222 255.255.255.248
!
interface Vlan12
nameif test
security-level 100
ip address 192.168.5.1 255.255.255.0
!
interface Vlan22
nameif LGS
security-level 100
ip address 192.168.2.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
switchport access vlan 22
!
interface Ethernet0/7
switchport access vlan 12
!
ftp mode passive
clock timezone AST -4
clock summer-time ADT recurring
dns domain-lookup inside
dns server-group DefaultDNS
name-server 24.222.0.96
name-server 24.222.0.97
domain-name AVC
same-security-traffic permit inter-interface
object network 192.168.1.0
subnet 0.0.0.0 0.0.0.0
object network 192.168.5.0
subnet 192.168.5.0 255.255.255.0
object network obj-192.168.5.100-www1
host 192.168.5.100
object network obj-192.168.5.100-ftp1
host 192.168.5.100
object network obj-192.168.5.101-80801
host 192.168.5.101
object service tcp-8080
service tcp source eq 8080 destination eq 8080
object network A_24.222.224.221
host 24.222.224.221
object network obj-192.168.5.100-www-1
object network obj-192.168.5.100-www
object network obj-192.168.5.100-wwwout
host 192.168.5.100
object network obj-192.168.5.100ftpout
host 192.168.5.100
object network obj-192.168.5.1018080out
host 192.168.5.101
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object udp
protocol-object tcp
protocol-object ip
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list outside_access_in extended permit tcp any host 192.168.5.100 eq www
access-list outside_access_in extended permit tcp any host 192.168.5.100 eq ftp
access-list outside_access_in extended permit tcp any host 192.168.5.101 eq 8080
access-list outsidein standard permit 192.168.1.0 255.255.255.0
access-list outsidein standard permit 192.168.5.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu test 1500
mtu LGS 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm history enable
arp timeout 14400
!
object network 192.168.1.0
nat (inside,outside) dynamic interface
object network 192.168.5.0
nat (test,outside) dynamic interface
object network obj-192.168.5.100-www1
nat (test,inside) static 24.222.224.220 service tcp www www
object network obj-192.168.5.100-ftp1
nat (test,inside) static 24.222.224.220 service tcp ftp ftp
object network obj-192.168.5.101-80801
nat (test,inside) static 24.222.224.220 service tcp 8080 8080
object network obj-192.168.5.100-wwwout
nat (test,outside) static 24.222.224.220 service tcp www www
object network obj-192.168.5.100ftpout
nat (test,outside) static 24.222.224.220 service tcp ftp ftp
object network obj-192.168.5.1018080out
nat (test,outside) static 24.222.224.220 service tcp 8080 8080
access-group outside_access_in in interface outside

Thanks maybe this will help others.

0 Helpful

Go to solution
praprama
Cisco Employee
Cisco Employee
In response to pskipton01

‎10-25-2010 05:15 PM

Great! Glad to know that Perry. And thanks for posting the config. Should be helpful for others.

Cheers,

Prapanch

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card