Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

how to allow fallback traffic from inside to outside interface back to inside?

Hi,

i have ASA 5505 and have typical situation which some low cost routers allow, but i cant find how to do it on ASA.

What i mean. ASA is router/ firewall with NAT. On internal network is some clients and 1 server. This server hosts HTTP server and DNS server.

DNS server ahs records for external domain www.domain.com which is this same server in fact but this record is for external users and internal users as well.

On ASA is configured static nat with PAT from port 80 to port 80 from server IP to outside interface IP. This redirect works good for external users.

Situation:

Internal user request in browser www.domain.com, he got ip address 1.2.3.4. Browser try to access 1.2.3.4 But with no response from ASA because ASA dropped traffic by ACL. But ACL is configured on inside interface from any to any protocol ip permit.

I want that ASA redirect this request back to inside interface and show this page to internal users. On low cost Ovislink this works.

What can I do for that so internal users can access web server on internal network but by external IP address? This situation is in more companies that I know and I still dont know how to resolve it.

question.png

Comments
New Member

same-security-traffic permit intra-interface

static (inside,inside) tcp 1.2.3.4 www 192.168.123.6 www netmask 255.255.255.255

New Member

hi it doesn't work. when i look into real-time log viewer I can see this error:

3Oct 30 200917:32:05305006ns.winadmin.cz80

portmap translation creation failed for tcp src inside:192.168.123.2/49532 dst inside:ns.domain.com/80

i attached my config here with removed real addresses and replaced by IP as on picture.

ns(config)# show run
: Saved
:
ASA Version 8.2(1)
!
hostname ns
domain-name domain.com
names
name 192.168.123.6 dc.domain.local
name 1.2.3.4 ns.domain.com
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.123.1 255.255.255.0
!
interface Vlan2
mac-address 0013.d399.08bd
nameif outside
security-level 0
ip address dhcp setroute
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa821-k8.bin
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns server-group DefaultDNS
domain-name domain.com
same-security-traffic permit intra-interface
object-group service RealVNC16729 tcp
port-object eq 16729
access-list outside_access_in extended permit tcp any host ns.domain.com eq www
access-list outside_access_in extended permit tcp any host ns.domain.com eq https
access-list outside_access_in extended permit icmp any host ns.domain.com
access-list outside_access_in extended permit udp any host ns.domain.com eq domain
access-list outside_access_in extended permit tcp any host ns.domain.com eq smtp
access-list outside_access_in extended permit tcp any host ns.domain.com eq 16729
access-list outside_access_in extended permit tcp any host ns.domain.com eq 65004
access-list outside_access_in extended permit tcp any host ns.domain.com eq 65003
access-list outside_access_in extended permit tcp any host ns.domain.com eq 65002
access-list outside_access_in extended permit tcp any host ns.domain.com eq 65001
access-list outside_access_in extended permit tcp any host ns.domain.com eq 65000
access-list outside_access_in extended permit tcp any host ns.domain.com eq ftp
access-list inside_access_in extended permit icmp any any
access-list inside_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ipv6 access-list inside_access_ipv6_in permit ip any any
ipv6 access-list inside_access_ipv6_in permit icmp any any
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.123.0 255.255.255.0
static (inside,inside) tcp ns.domain.com www dc.domain.local www netmask 255.255.255.255
static (inside,outside) tcp interface https dc.domain.local https netmask 255.255.255.255
static (inside,outside) udp interface domain dc.domain.local domain netmask 255.255.255.255
static (inside,outside) tcp interface smtp dc.domain.local smtp netmask 255.255.255.255
static (inside,outside) tcp interface 16729 dc.domain.local 16729 netmask 255.255.255.255
static (inside,outside) tcp interface www dc.domain.local www netmask 255.255.255.255
static (inside,outside) tcp interface ftp dc.domain.local ftp netmask 255.255.255.255
static (inside,outside) tcp interface 65000 dc.domain.local 65000 netmask 255.255.255.255
static (inside,outside) tcp interface 65001 dc.domain.local 65001 netmask 255.255.255.255
static (inside,outside) tcp interface 65002 dc.domain.local 65002 netmask 255.255.255.255
static (inside,outside) tcp interface 65003 dc.domain.local 65003 netmask 255.255.255.255
static (inside,outside) tcp interface 65004 dc.domain.local 65004 netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group inside_access_ipv6_in in interface inside
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 192.168.123.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 192.168.123.0 255.255.255.0 inside
telnet timeout 5
ssh 192.168.123.0 255.255.255.0 inside
ssh timeout 30
ssh version 2
console timeout 0
dhcp-client client-id interface outside
dhcpd domain marchyn.local
dhcpd auto_config outside
!
dhcpd address 192.168.123.10-192.168.123.41 inside
dhcpd dns dc.domain.local interface inside
dhcpd enable inside
!

no threat-detection basic-threat
no threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 217.31.205.226 source outside prefer
webvpn
port 444
enable outside
dtls port 444
svc image disk0:/anyconnect-win-2.3.0254-k9.pkg 1 regex "Windows NT"
svc enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect icmp
  inspect icmp error
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:ccec9375f0b00b42e0bd4081dd3beb91
: end

Cisco Employee

Please check the following documents, it seems that you are missing the global statement.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968d1.shtml#solution2

global (inside) 1 interface

3401
Views
0
Helpful
3
Comments