Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Access rule for inside hosts to access services on outside interface.

Hi,

I'm having issues getting the correct rule that allow all of my 192.168.1.0/24 (inside) machines to access services like http/smtp that are being exposed to the outside via PAT.

Indeed I can access everything from outside the network but from within my own network I can't access those services.

Appreciate any help!

Example:

61.21.1.1 (outside IP)

192.168.1.10 (inside IP)

192.168.1.10 access denied to 61.21.1.1

:(

9 REPLIES

Re: Access rule for inside hosts to access services on outside i

I'm not sure I understand. Is this on a router or a PIX? What ip nat commands do you have in place? Could you post your config please? Then we might be able to identify the problem.

Kevin Dorrell

Luxembourg

New Member

Re: Access rule for inside hosts to access services on outside i

Sorry for the lack of details: Here's the running-config:

Basically, I have a host behind the ASA device that I use to get email from my own mail server which is on the inside but I use the fqdn so the request has to go out of the firewall and then back in, but apparently that's not allowed because I'm getting denied packets in my logger for the ASA. I'm sure I've spaced some access rule and when I try to create any I can't seem to get the parameters right. Thanks!

Result of the command: "show running-config"

: Saved

:

ASA Version 7.2(2)

!

names

name 192.168.1.20 master

name 192.168.1.10 mail

name 192.168.1.3 host1

name 17.17.17.1 PublicIP

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

ospf cost 10

!

interface Vlan2

nameif outside

security-level 0

ip address PublicIP 255.255.255.248

ospf cost 10

!

interface Vlan3

no forward interface Vlan1

nameif dmz

security-level 50

no ip address

ospf cost 10

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

switchport access vlan 3

!

passwd xyxz encrypted

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns server-group DefaultDNS

domain-name domain.x

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group service www tcp-udp

description Web traffic

port-object eq www

access-list outside_access_in remark Allow for incoming Secure SMTP requests

access-list outside_access_in extended permit tcp any interface outside eq 465

access-list outside_access_in remark Allow for incoming Secure IMAP requests

access-list outside_access_in extended permit tcp any interface outside eq 993

access-list outside_access_in remark Allow for incoming smtp requests

access-list outside_access_in extended permit tcp any interface outside eq smtp

access-list outside_access_in remark Allow for incoming https requests

access-list outside_access_in extended permit tcp any interface outside eq https

access-list outside_access_in remark Allow for incoming DNS requests

access-list outside_access_in extended permit udp any interface outside eq domain

access-list outside_access_in remark Allow for incoming DNS requests

access-list outside_access_in extended permit tcp any interface outside eq domain

access-list outside_access_in extended permit tcp any interface outside eq ssh

access-list outside_access_in remark Allow for incoming http requests

access-list outside_access_in extended permit tcp any interface outside eq www

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu dmz 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-522.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp interface www master www netmask 255.255.255.255

static (inside,outside) udp interface domain master domain netmask 255.255.255.255

static (inside,outside) tcp interface domain master domain netmask 255.255.255.255

static (inside,outside) tcp interface 465 mail 465 netmask 255.255.255.255

static (inside,outside) tcp interface 993 mail 993 netmask 255.255.255.255

static (inside,outside) tcp interface smtp mail smtp netmask 255.255.255.255

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 17.17.17.1 1

New Member

Re: Access rule for inside hosts to access services on outside i

I think what I am really describing here is "hairpinning". Where a packet originates on the inside interface and is immediately being asked to come back inside since the IP:Service I'm requesting is really on the inside. I'm going to try the hairpinning theory and modify my config to see if it fixes my issue. Still open to comments/solutions. Thank you!

Re: Access rule for inside hosts to access services on outside i

Kevin, that is correct, if the destination is on the inside along with the source and need communication between the two then you apply hairpin.

same-security-traffic permit intra-interface

static (inside,inside) 61.21.1.1 192.168.1.10 netmask 255.255.255.255

http://www.cisco.com/en/US/docs/security/asa/asa70/command/reference/s.html#wp1494249

Rgds

Jorge

New Member

Re: Access rule for inside hosts to access services on outside i

Hmm.. Well, that didn't work. Perhaps I don't understand this. Let's try a simplier example:

I have my ASA 5505 outside interface IP set to: 1.1.1.1

My inside interface network is of 192.168.1.0/24.

If I am on host 192.168.1.30, I can't even ping my 1.1.1.1 (external/public IP).

Would that be a form for "hairpinning" or not?

If it's "not" then would needs to be added to allow that icmp flow? I could then apply that to my smtp traffic,etc.

Thanks again!

New Member

Re: Access rule for inside hosts to access services on outside i

Here's a logging message that may help us understand it:

TCP access denied by ACL from 192.168.1.30/53484 to inside:PublicIP/80

New Member

Re: Access rule for inside hosts to access services on outside i

Problem solved - Needed to add:

global (inside) 1 interface

hehe :)

Re: Access rule for inside hosts to access services on outside i

Great, good to know how you got it resolved.

New Member

Re: Access rule for inside hosts to access services on outside i

Actually, I thought I had it figured out, but it's not exactly working. Indeed I can hit the web sites that are hosted internally although DNS resolves them to the external interface, but I still can't get to specific services on that outside interface. Example is Secure IMAP.

I can access secure imap fine from the outside, but no hosts on the inside can get to it.

The one thing I did add to help me get the website traffic working at least was this:

global (inside) 1 interface

Still looking for the rest of the solution.

Jorgemcse:

I felt like this might have been more of a firewall issue so I posted over there, here's the link which contains an update of my running configuration:

http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Security&topic=Firewalling&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.1ddfdb9b

180
Views
3
Helpful
9
Replies