topic Yes thats IP of outside in Network Security

How do I reach my internal server from Inside network

mahesh18 — Tue, 12 Mar 2019 05:14:33 GMT

Hi Everyone,

We have server configured on inside network on inside interface of ASA.

Also i have port forwarding configured on ASA so that i can reach this server from outside world using https.

Need to know how can i reach this server from inside interface of ASA?

Regards

MAhesh

Hi Mahesh, If users from

Rishabh Seth — Thu, 18 Dec 2014 15:47:42 GMT

Hi Mahesh,

If users from Inside are going to access the server on the private IP address then you just have to allow intra-interface traffic by using command

config)# same-security-traffic permit intra-interface

otherwise if the users are going to access the server on its public IP from inside then you have to go for either DNS doctoring or NAT hair-pinning.

You can refer following links:

DNS doctoring:

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/115753-dns-doctoring-asa-config.html

NAT uturn:

http://www.willneumann.net/2009/04/setup-u-turn-hairpinning-on-cisco-asa/

https://supportforums.cisco.com/document/44571/asa-83-nat-u-turn-example-ra-vpn-client-traffic

Hope it helps.

Thanks,

Rishabh

Hi Rishabh, One thing need

mahesh18 — Thu, 18 Dec 2014 18:06:54 GMT

Hi Rishabh,

One thing need to confirm if i use config)# same-security-traffic permit intra-interface will traffic

hit any NAT rule?

My understanding is no NAT rule should be hit.

Regards

MAhesh

If your inside users are

Marius Gunnerud — Thu, 18 Dec 2014 18:24:24 GMT

If your inside users are accessing the server using its public IP, then you will need both the same-security-traffic permit intra-interface command as well as a NAT statement which will translate the public IP to the private IP with the real and mapped interface both being the inside interface. for example:

nat (inside,inside) source static 10.0.0.0 255.255.255.0 destination static <public IP> <private IP>

For DNS doctoring to work, the DNS server needs to be located off a different than what the LAN users are connected to. If the DNS server and the local LAN users are located on the same subnet DNS doctoring will not work.

Please remember to select a correct answer and rate helpful posts

Will test tonight and keep

mahesh18 — Thu, 18 Dec 2014 18:51:31 GMT

Will test tonight and keep you updated.

Hi Marius,when i use private

mahesh18 — Sat, 20 Dec 2014 16:18:06 GMT

Hi Marius,

when i use private IP i can access the server from inside.

I check ASA config it already has ----below command configured.

same-security-traffic permit intra-interface

Need to know when i use Private IP to access the server from inside then no NAT is involved and no logs are generated right?

When i try to config below NAT so that i can access the server via Public IP from inside

network i get error

nat (inside,outside) source static 10.0.0.4 255.255.255.255 destination static 96.51.x.x 10.0.0.4

ERROR: 10.0.0.4 doesn't match an existing object or object-group

Regards

MAhesh

Mahesh,Two issues - your test

Marvin Rhoads — Sat, 20 Dec 2014 16:54:00 GMT

Mahesh,

Two issues - your test NAT statement is 'inside,outside'. As Marius correctly noted, your use case would require 'inside,inside'.

Also, the ASA is complaining because you seem to be running 8.3+ and should thus use object NAT. So define a network-objects for the hosts real and NATted addresses first and then make your NAT statement reference those objects.

Hi Marvin, Yes ASA version

mahesh18 — Sat, 20 Dec 2014 17:15:38 GMT

Hi Marvin,

Yes ASA version is 9.1

I did below config

object network server1
host 10.0.0.4
object network server3
host 96.51.x.x

nat (inside,inside) source static server1 server1 destination static server3 server1

where 10.0.0.4 is server Private IP.

this NAT statement is on top of NAT order.

When i try from PC 10.0.0.8 below are logs

Dec 20 2014 10:10:49: %ASA-6-110002: Failed to locate egress interface for TCP from inside:10.0.0.8/65128 to 96.51.x.x/443
Dec 20 2014 10:11:11: %ASA-6-110002: Failed to locate egress interface for TCP from inside:10.0.0.8/65130 to 96.51.x.x/443

Regards

MAhesh

Mahesh,Is 96.51.x.x.in the

Marvin Rhoads — Sat, 20 Dec 2014 23:43:53 GMT

Mahesh,

Is 96.51.x.x.in the same subnet as your outside interface?

Yes thats IP of outside

mahesh18 — Sun, 21 Dec 2014 00:09:00 GMT

Yes thats IP of outside interface.

Regards

MAhesh