Solved: Re: Inside network to outside interface access

paulkbeyer · ‎08-23-2006

Hey,

I've got an ASA5520 7.2(1) which I've got a few probs with - one of which is something I'm struggling with.

I'm trying to hit a website from a host in the inside network which is actually hosted internally but resolves to the static nat'd address on the outside interface of the firewall.

Now I can see the TCP connection built, the translation occuring to a high port on the outside interface, that high port talking back at one of the static'd addresses on the outside interface then thats it. There's no more entries in my log with regard to the connection and I'm not receiving syn's on the internal web server either so the connection ain't coming back in.

ip address outside 222.x.x.9 255.255.255.248

ip address inside 192.168.87.1 255.255.255.0

Webservers static nat:-

static (inside, outside) 222.x.x.10 192.168.87.5

access lists to gain access..:-

access-list inbound extended permit tcp any host 192.168.87.5 eq http

access-group inbound interface outside in

It all works fine when originating from a Global internet address - just not when the address originated from inside and Dynamic PAT is performed to the originating address.

Here's a capture session using the following access list for capture on inside and outside interfaces concurrently

access-list web line 1 extended permit ip host 222.222.222.10 any

access-list web line 2 extended permit ip any host 222.222.222.10

on the INSIDE interface (nothing gets logged on the outside) (ip addresses have been replaced with non-sensical ones) - but the 222 address is the interface's static'd address and the other is on the internal network.

316: 19:14:02.900206 192.168.87.10.2275 > 222.222.222.10.80: S 2029971541:2029971541(0) win 64512 <mss 1460,nop,nop,sackOK>

317: 19:14:05.973185 192.168.87.10.2275 > 222.222.222.10.80: S 2029971541:2029971541(0) win 64512 <mss 1460,nop,nop,sackOK>

192.168.87.10 is my client trying to connect

Anyone have any gotcha's which is stopping this function working?

All the networks are directly attached and there's no route summarisation ocurring anywhere.

Hope you guys can help!

Regards

Paul.

cpembleton · ‎08-24-2006

To my knowledge the ASA will only support hairpining over a VPN tunnel. The security appliance does not allow traffic sent to an interface to go back in the direction it was recieved from.

View solution in original post

cpembleton · ‎08-23-2006

Best way to resolve this would be to use DNS Reply modification. Add dns to the end of the web server static. This will change the dns reply your pc gets to the interal ip.

Webservers static nat:-

static (inside, outside) 222.222.222.10 192.168.87.5 dns

See this link for info:

http://www.cisco.com/en/US/customer/products/ps6120/products_configuration_guide_chapter09186a008063b1fa.html#wp1042753

Thanks,

Chad

Please rate if this helps.

paulkbeyer · ‎08-23-2006

Okay, cool. I appreciate the answer.

Thing is - I have control over the DNS server the machine is using to resolve the name so coulda done that already without using the DNS reply mod feature. Also I shoulda mentioned the web server serves up secure pages so the cert won't match the ip address/external domain name if users are redirected to the internal address.

It's also useful as a troublshooting tool to go through the same access methods as external users to the http and https services this box provides.

Any more thoughts?

Regards

Paul.

cpembleton · ‎08-24-2006

To my knowledge the ASA will only support hairpining over a VPN tunnel. The security appliance does not allow traffic sent to an interface to go back in the direction it was recieved from.

paulkbeyer · ‎08-24-2006

Hairpinning! Thats what I've needed to know - and thanks - I believe it doesn't either. I'll check myself through some docs and start a workaround to sort this out.

Thanks for your time!

Paul.

davidm101 · ‎09-14-2006

did you try "alias"?

paulkbeyer · ‎09-14-2006

Hi,

I think in the end I stated that we couldn't do hairpinning from and back in an interface. But then I discovered the DNS doctoring command which would take the form as displayed

static (inside,outside) 222.222.222.10 192.168.87.5 netmask 255.255.255.255 dns

Which is the newer form of alias is it not? This dotors all DNS requests for the 222.222.222.10 address directly to the 192.168.87.5 address from the inside so clients all resolve the internal address and never even try and hit the firewall now.

Winner.

Thanks again guys!

oliver.burgis · ‎11-04-2006

Hi,

I am having the same problem but with a 1841 router. I can't access an inside host from inside clients when its dns points to the outside router ip. From the outside the host is perfectly accessable.

Any suggestions?

Regards,

Oliver

paulkbeyer · ‎11-08-2006

Use the 'dns' command on the end of your static statement

static (inside,outside) 192.168.10.10

10.10.10.10 netmask 255.255.255.255 dns

so everything thats getting resolved to the 192.168.10.10 external address gets fixed up by the firewall to return an address of 10.10.10.10 instead meaning your client connect directly rather than trying to 'hairpin' (which won't work) out and in teh firwalls interface.

Hope this helps.

Paul.

vmtimaan2k4 · ‎11-17-2006

i am also having the same problem with you guys, only that I am using PAT instead of STATIC NAT: (looks like this)

static (internal,external) tcp interface www 192.168.6.2 www netmask 255.255.255.255 dns

it still doesn't work though. I haven't tried using the static NAT, since I am still waiting for the service provider to add another public ip address.

Anyway, has anyone tried using this command and actually made it work? any workarounds i can do?

tnx

Vincent

turbo_engine26 · ‎08-30-2006

Hi Paul,

Actually,i see something wrong in the access list since the nat'd address is 222.222.222.10 so the access list must looks like this :

access-list inbound extended permit tcp any host 222.222.222.10 eq http

Hope this helps!!

Turbo