https://community.cisco.com/t5/network-security/routing-problem/m-p/3028584#M145448 <P>It is a carryover from its PIX days I believe. Basically the ASA does not allow you to access any resource on any interface if the traffic is sourced from any other interface. These checks happen even before NAT is checked, so it is not a problem with your NAT.</P> Mon, 27 Mar 2017 14:43:30 GMT Rahul Govindan 2017-03-27T14:43:30Z https://community.cisco.com/t5/network-security/routing-problem/m-p/3028581#M145440 <P>Hello&nbsp;</P> <P></P> <P>When i want to open a website from the public ip on the firewall the internal LAN i cannot open it.&nbsp;</P> <P></P> <P>What`s the problem? Is it not possible to open a connection to a server from the inside to the public IP of the firewall?&nbsp;</P> <P></P> <P>From outside everything is working fine.</P> <P></P> <P>Thanks</P> <P></P> Tue, 12 Mar 2019 09:08:00 GMT https://community.cisco.com/t5/network-security/routing-problem/m-p/3028581#M145440 Raimund Schimanovits 2019-03-12T09:08:00Z https://community.cisco.com/t5/network-security/routing-problem/m-p/3028582#M145442 <P>No this is not possible by design. You cannot access anything on a far end interface of the ASA when coming in from another interface. This is documented here:</P> <P>http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/general/asa_91_general_config/admin_management.html#29729</P> Mon, 27 Mar 2017 13:44:22 GMT https://community.cisco.com/t5/network-security/routing-problem/m-p/3028582#M145442 Rahul Govindan 2017-03-27T13:44:22Z https://community.cisco.com/t5/network-security/routing-problem/m-p/3028583#M145445 <P>Hmmm but what is the probem?</P> <P>I open a http request to an public IP.</P> <P>On the outside interface i made a NAT to the Server inside.</P> <P>The NAT is working perfect when the package comes from the internet. When i open the http request from the inside interface to the public IP from the NAT i get an unreachable.</P> <P></P> <P>So the package from the inside went through NAT comes to the outside Interface and goes back to the NAT to the server inside.&nbsp;</P> <P></P> <P>Am i right?&nbsp;</P> <P></P> <P>Thanks</P> <P></P> Mon, 27 Mar 2017 14:19:37 GMT https://community.cisco.com/t5/network-security/routing-problem/m-p/3028583#M145445 Raimund Schimanovits 2017-03-27T14:19:37Z https://community.cisco.com/t5/network-security/routing-problem/m-p/3028584#M145448 <P>It is a carryover from its PIX days I believe. Basically the ASA does not allow you to access any resource on any interface if the traffic is sourced from any other interface. These checks happen even before NAT is checked, so it is not a problem with your NAT.</P> Mon, 27 Mar 2017 14:43:30 GMT https://community.cisco.com/t5/network-security/routing-problem/m-p/3028584#M145448 Rahul Govindan 2017-03-27T14:43:30Z https://community.cisco.com/t5/network-security/routing-problem/m-p/3028585#M145450 <P>Ok Thanks for the perfect answer. The problem i had is that i alwas have now error messages in the log.</P> <P>When someone in the network makes a connection to the public ip i had this message.</P> <P></P> <P>&nbsp;Deny IP spoof from (xxx.xxxx.xxxx.xxxx) to xxx.xxx.xxx.xxxx on interface outside</P> <P></P> <P>then i only can block the ip from inside to outside or do you have a better idea?</P> <P></P> <P>Thanks</P> Tue, 28 Mar 2017 07:28:44 GMT https://community.cisco.com/t5/network-security/routing-problem/m-p/3028585#M145450 Raimund Schimanovits 2017-03-28T07:28:44Z https://community.cisco.com/t5/network-security/routing-problem/m-p/3028586#M145451 <P>Yeah the log is shown because the inside user gets translated to the same public ip address as the destination, resulting in the Source and destination IP address fields to be the same. You can stop this by applying an ACL on your inside interface to block traffic to the public ip address for your inside users.</P> Tue, 28 Mar 2017 10:16:21 GMT https://community.cisco.com/t5/network-security/routing-problem/m-p/3028586#M145451 Rahul Govindan 2017-03-28T10:16:21Z