I've got an ASA5520 7.2(1) which I've got a few probs with - one of which is something I'm struggling with.
I'm trying to hit a website from a host in the inside network which is actually hosted internally but resolves to the static nat'd address on the outside interface of the firewall.
Now I can see the TCP connection built, the translation occuring to a high port on the outside interface, that high port talking back at one of the static'd addresses on the outside interface then thats it. There's no more entries in my log with regard to the connection and I'm not receiving syn's on the internal web server either so the connection ain't coming back in.
ip address outside 222.x.x.9 255.255.255.248
ip address inside 192.168.87.1 255.255.255.0
Webservers static nat:-
static (inside, outside) 222.x.x.10 192.168.87.5
access lists to gain access..:-
access-list inbound extended permit tcp any host 192.168.87.5 eq http
access-group inbound interface outside in
It all works fine when originating from a Global internet address - just not when the address originated from inside and Dynamic PAT is performed to the originating address.
Here's a capture session using the following access list for capture on inside and outside interfaces concurrently
access-list web line 1 extended permit ip host 184.108.40.206 any
access-list web line 2 extended permit ip any host 220.127.116.11
on the INSIDE interface (nothing gets logged on the outside) (ip addresses have been replaced with non-sensical ones) - but the 222 address is the interface's static'd address and the other is on the internal network.
316: 19:14:02.900206 192.168.87.10.2275 > 18.104.22.168.80: S 2029971541:2029971541(0) win 64512 <mss 1460,nop,nop,sackOK>
317: 19:14:05.973185 192.168.87.10.2275 > 22.214.171.124.80: S 2029971541:2029971541(0) win 64512 <mss 1460,nop,nop,sackOK>
192.168.87.10 is my client trying to connect
Anyone have any gotcha's which is stopping this function working?
All the networks are directly attached and there's no route summarisation ocurring anywhere.
Hope you guys can help!
Solved! Go to Solution.
Best way to resolve this would be to use DNS Reply modification. Add dns to the end of the web server static. This will change the dns reply your pc gets to the interal ip.
Webservers static nat:-
static (inside, outside) 126.96.36.199 192.168.87.5 dns
See this link for info:
Please rate if this helps.
Okay, cool. I appreciate the answer.
Thing is - I have control over the DNS server the machine is using to resolve the name so coulda done that already without using the DNS reply mod feature. Also I shoulda mentioned the web server serves up secure pages so the cert won't match the ip address/external domain name if users are redirected to the internal address.
It's also useful as a troublshooting tool to go through the same access methods as external users to the http and https services this box provides.
Any more thoughts?
Hairpinning! Thats what I've needed to know - and thanks - I believe it doesn't either. I'll check myself through some docs and start a workaround to sort this out.
Thanks for your time!
I think in the end I stated that we couldn't do hairpinning from and back in an interface. But then I discovered the DNS doctoring command which would take the form as displayed
static (inside,outside) 188.8.131.52 192.168.87.5 netmask 255.255.255.255 dns
Which is the newer form of alias is it not? This dotors all DNS requests for the 184.108.40.206 address directly to the 192.168.87.5 address from the inside so clients all resolve the internal address and never even try and hit the firewall now.
Thanks again guys!
I am having the same problem but with a 1841 router. I can't access an inside host from inside clients when its dns points to the outside router ip. From the outside the host is perfectly accessable.
Use the 'dns' command on the end of your static statement
static (inside,outside) 192.168.10.10
10.10.10.10 netmask 255.255.255.255 dns
so everything thats getting resolved to the 192.168.10.10 external address gets fixed up by the firewall to return an address of 10.10.10.10 instead meaning your client connect directly rather than trying to 'hairpin' (which won't work) out and in teh firwalls interface.
Hope this helps.
i am also having the same problem with you guys, only that I am using PAT instead of STATIC NAT: (looks like this)
static (internal,external) tcp interface www 192.168.6.2 www netmask 255.255.255.255 dns
it still doesn't work though. I haven't tried using the static NAT, since I am still waiting for the service provider to add another public ip address.
Anyway, has anyone tried using this command and actually made it work? any workarounds i can do?
Actually,i see something wrong in the access list since the nat'd address is 220.127.116.11 so the access list must looks like this :
access-list inbound extended permit tcp any host 18.104.22.168 eq http
Hope this helps!!