I'm setting up my first ASA 5505 (Security Plus) and want to make sure I'm doing this correctly.
I have a web server on my inside network. The web server's internal IP is 192.168.1.53. The web server runs on port 9000. I want this accessible from several internal VLANs. I also want to expose this web server externally on one of my static public IP's, x.x.x.172, also on port 9000.
Here's the catch: My internal users sometimes need to access the web server using the *external* hostname/IP, so I need to enable hairpinning.
I started using Network Object NAT but found that I had to use Twice NAT to get the hairpin scenario to work. I experimented some more and found that if I adjusted my Twice NAT rule, I didn't need the Network Object NAT rules anymore.
I set this up and it seems to work great internally and externally. Before I set up a few dozen more of these for different server/port combinations, I wanted to run this by you experts to see if there are any issues with this config that will bite me later down the road.
same-security-traffic permit intra-interface object network PUBLIC-172 host x.x.x.172 object network INTERNAL-53 host 192.168.1.53 object service PORT-9000 service tcp destination eq 9000 access-list OutsideIn extended permit tcp any host 192.168.1.53 eq 9000 access-group OutsideIn in interface outside nat (any,inside) source static any interface destination static PUBLIC-172 INTERNAL-53 service PORT-9000 PORT-9000
I would be careful using the any keyword. In this case you would be allowing every one access to the server using the external IP (given that access lists permit the connection also.) It is always a best practice to be very specific with what you configure on the ASA.
Of course if you don't have a very strict security policy and are allowed to do this, then there is nothing wrong with doing it.
Please remember to select a correct answer and rate
Please remember to rate and select a correct answer
To be clear, I have two client PC's I'm testing with. One on the "inside" VLAN and one on the "work" VLAN.
If I take out the first "any", I have to reproduce the rule N times for each of my VLANs. However, even after doing this I'm seeing the same issue -- works if client PC is on "inside" VLAN, fails with "reverse path failure" if client PC is on another other internal VLAN.
I tried replacing the second "any" with INTERNAL-53.and the requests to the internal URL now work from the other VLANs but now the requests to the external URL from those same PCs now doesn't work. I'm not seeing anything in the syslog though.
Changing from "source static" to "source dynamic" didn't change anything either.
I think I'm being stumped by the tricky syntax of this NAT command. In essence, I want something that implements "if internal or external user requests this external URL, translate to this instead". NAT shouldn't be getting involved if an internal user requests and internal URL.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...