10-23-2010 04:59 PM - edited 03-11-2019 11:59 AM
I have the outside network
24.222.224.220
I have the inside network I am on now,
192.168.1.0 network
I have another network with servers on it
192.168.5.0 network
I can his the servers on 192.168.5.0 network from anywhere but the inside network 192.168.1.0
I have given the servers with 24.222.224.220 outside ip works from anywhere else but the inside network I am on and I am trying to hit it by IP for now DNS later.
I can hit any poutside internet service from either internaletwork.
Any Ideas I will post config if needed.
Solved! Go to Solution.
10-25-2010 12:36 AM
Hi Perry,
So what do the DNS responses contain? I am assuming that they respons with the public IP address of the server which is 24.222.224.220.
So in such a case, add the below commands and then you should have communication as you need:
object network obj-192.168.5.100-www-1
nat (test,inside) static 24.222.224.220 service tcp www www
object network obj-192.168.5.100-ftp-1
nat (test,inside) static 24.222.224.220 service tcp ftp ftp
object network obj-192.168.5.101-8080-1
nat (test,inside) static 24.222.224.220 service tcp 8080 8080
So, basically we are creating static for the "inside" interface now. Now from the "inside", users should be able to access the server using their public IP address 24.222.224.220.
Also, another command you will need because both "inside" and "test" are of the same security level is
same-security-traffic permit inter-interface
Also, if you have an access-list on the "inside" interface, please add the necessary entries to allow communication to the "test" servers using the public IP addresses.
Let me know if this helps!!
Thanks and Regards,
Prapanch
10-23-2010 05:30 PM
Hi Perry,
I am assuming that your topology is something like this:
192.168.1.0/24----------------(inside)ASA(outside)----------INTERNET
192.168.5.0/25
You have static translations for servers (in specofic for 192.168.5.1) on the outside in the format below:
static (inside,outside) 24.222.224.221 192.158.5.1
Now when you try and access the 192.168.5.1 server using the public IP of 24.222.224.221, you are not able to do that. To enable this you will need 3 things.
1) static (inside,inside) 24.222.224.221 192.158.5.1 norandomseq nailed
2) failover timeout -1
3) same-security-traffic permit intra-interface
This should let you access the servers using the public IPs.
In the above case, both the inside LAN and the SERVER network are reachable through the "inside" interface on the firewall and the 192.168.5.0/24 is reachabe through an intermediate hop(router). Let me know if this indeed is the case or if it's different?
Thanks and Regards,
Prapanch
10-23-2010 06:23 PM
Hello,
We cannot assume that the servers are on the inside, depending on the scenario and the DNS server is we can apply some workarounds like the already mentioned.
You can take a look at the following document for reference
Hope it helps
Mike
10-23-2010 07:16 PM
Here are the networks;
show run nat
object network 192.168.1.0
nat (inside,outside) dynamic interface dns
object network 192.168.5.0
nat (test,outside) dynamic interface dns
object network obj-192.168.5.100-www
nat (test,outside) static 24.222.224.220 service tcp www www
object network obj-192.168.5.100-ftp
nat (test,outside) static 24.222.224.220 service tcp ftp ftp
object network obj-192.168.5.101-8080
nat (test,outside) static 24.222.224.220 service tcp 8080 8080
show run object
object network 192.168.1.0
subnet 0.0.0.0 0.0.0.0
object network 192.168.5.0
subnet 192.168.5.0 255.255.255.0
object network obj-192.168.5.100-www
host 192.168.5.100
object network obj-192.168.5.100-ftp
host 192.168.5.100
object network obj-192.168.5.101-8080
host 192.168.5.101
object service tcp-8080
service tcp source eq 8080 destination eq 8080
show run access-list
access-list outside_access_in extended permit tcp any host 192.168.5.100 eq www
access-list outside_access_in extended permit tcp any host 192.168.5.100 eq ftp
access-list outside_access_in extended permit tcp any host 192.168.5.101 eq 8080
access-list outsidein standard permit 192.168.1.0 255.255.255.0
access-list outsidein standard permit 192.168.5.0 255.255.255.0
Maybe this gives a better idea of how its setup now.
1) static (inside,inside) 24.222.224.221 192.158.5.1 norandomseq nailed (Could you explain this line a bit)
2) failover timeout -1 (I have no Failover device is this required?)
3) same-security-traffic permit intra-interface (ok I have seen this before)
Thanks in advance for any more help you could give.
10-23-2010 07:28 PM
Hello Perry,
Thats the point I wanted to make, those lines posted are not going to work because you are in 8.3 and NAT is handled different, please let me know the following information
What is the security level for the inside host?
In which interface are the servers located?
What is the security level for that interface?
Where is the DNS server?
With this information I will be able to suggest an example of how you will need to set this access
Cheers
Mike
10-24-2010 03:45 AM
Inside network sec level 100
test network sec level 100, servers on this network outside ip 24.222.224.220
outside sec level 0 24.222.224.222
DNS is outside the system 24.222.0.96 and 97
want to be able to talk to test network through from inside out through outside and back into test.
AT this time cannot even do it by the test outside ip which is 24.222.224.220
the outside ip 24.222.224.222
10-24-2010 02:22 PM
If your inside hosts are using those external DNS servers, please put the keyword "dns" at the end of the translations for the server, that will allow the ASA to do DNS rewrite
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968d1.shtml
Thanks
10-25-2010 12:36 AM
Hi Perry,
So what do the DNS responses contain? I am assuming that they respons with the public IP address of the server which is 24.222.224.220.
So in such a case, add the below commands and then you should have communication as you need:
object network obj-192.168.5.100-www-1
nat (test,inside) static 24.222.224.220 service tcp www www
object network obj-192.168.5.100-ftp-1
nat (test,inside) static 24.222.224.220 service tcp ftp ftp
object network obj-192.168.5.101-8080-1
nat (test,inside) static 24.222.224.220 service tcp 8080 8080
So, basically we are creating static for the "inside" interface now. Now from the "inside", users should be able to access the server using their public IP address 24.222.224.220.
Also, another command you will need because both "inside" and "test" are of the same security level is
same-security-traffic permit inter-interface
Also, if you have an access-list on the "inside" interface, please add the necessary entries to allow communication to the "test" servers using the public IP addresses.
Let me know if this helps!!
Thanks and Regards,
Prapanch
10-25-2010 09:46 AM
Seems this configuration works.
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 24.222.224.222 255.255.255.248
!
interface Vlan12
nameif test
security-level 100
ip address 192.168.5.1 255.255.255.0
!
interface Vlan22
nameif LGS
security-level 100
ip address 192.168.2.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
switchport access vlan 22
!
interface Ethernet0/7
switchport access vlan 12
!
ftp mode passive
clock timezone AST -4
clock summer-time ADT recurring
dns domain-lookup inside
dns server-group DefaultDNS
name-server 24.222.0.96
name-server 24.222.0.97
domain-name AVC
same-security-traffic permit inter-interface
object network 192.168.1.0
subnet 0.0.0.0 0.0.0.0
object network 192.168.5.0
subnet 192.168.5.0 255.255.255.0
object network obj-192.168.5.100-www1
host 192.168.5.100
object network obj-192.168.5.100-ftp1
host 192.168.5.100
object network obj-192.168.5.101-80801
host 192.168.5.101
object service tcp-8080
service tcp source eq 8080 destination eq 8080
object network A_24.222.224.221
host 24.222.224.221
object network obj-192.168.5.100-www-1
object network obj-192.168.5.100-www
object network obj-192.168.5.100-wwwout
host 192.168.5.100
object network obj-192.168.5.100ftpout
host 192.168.5.100
object network obj-192.168.5.1018080out
host 192.168.5.101
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object udp
protocol-object tcp
protocol-object ip
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list outside_access_in extended permit tcp any host 192.168.5.100 eq www
access-list outside_access_in extended permit tcp any host 192.168.5.100 eq ftp
access-list outside_access_in extended permit tcp any host 192.168.5.101 eq 8080
access-list outsidein standard permit 192.168.1.0 255.255.255.0
access-list outsidein standard permit 192.168.5.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu test 1500
mtu LGS 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm history enable
arp timeout 14400
!
object network 192.168.1.0
nat (inside,outside) dynamic interface
object network 192.168.5.0
nat (test,outside) dynamic interface
object network obj-192.168.5.100-www1
nat (test,inside) static 24.222.224.220 service tcp www www
object network obj-192.168.5.100-ftp1
nat (test,inside) static 24.222.224.220 service tcp ftp ftp
object network obj-192.168.5.101-80801
nat (test,inside) static 24.222.224.220 service tcp 8080 8080
object network obj-192.168.5.100-wwwout
nat (test,outside) static 24.222.224.220 service tcp www www
object network obj-192.168.5.100ftpout
nat (test,outside) static 24.222.224.220 service tcp ftp ftp
object network obj-192.168.5.1018080out
nat (test,outside) static 24.222.224.220 service tcp 8080 8080
access-group outside_access_in in interface outside
Thanks maybe this will help others.
10-25-2010 05:15 PM
Great! Glad to know that Perry. And thanks for posting the config. Should be helpful for others.
Cheers,
Prapanch
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: