topic Inside Access to NAT IP on outside interface in Network Security

Inside Access to NAT IP on outside interface

JohnTylerPearce — Mon, 11 Mar 2019 23:24:53 GMT

Hey, we have a server that has an outside IP and an inside IP. It's inside ip is 192.168.222.30/24 and it's outside IP is

199.204.50.2/29. The connection to this server from the outside is perfectly fine, but access from inside users to the

NAT'd IP which is 199.204.50.2/29 is having issues, however, access to the inside IP works fine (this part makes sense)

Will It be a must to set the inside DNS A record to the inside IP and not the outside IP, or can users on the inside interface

access the NAT'd IP which is assigned to the server

LAN(192.168.222.0/24)<=====>InsideASAOutside<=====>(Server with NAT IP 192.168.222.30/24, it's also physicall assigned to this server)

This is an ASA 5510 with 8.4.

Inside Access to NAT IP on outside interface

Karsten Iwen — Fri, 29 Jun 2012 21:17:19 GMT

There are two solutions, depending of your DNS-Design.

If your clients query only an inside server, then this server has to resolve the FQDN to the inside IP.

If an external DNS-Server is queried, then the nat-statement needs "dns-doctoring" which is configured with the parameter "dns".

Inside Access to NAT IP on outside interface

alejands — Fri, 29 Jun 2012 22:06:46 GMT

You want the inside subnet to access the server 192.168.222.30 using his public NATed IP 199.204.50.2?

Have you try using a NAT for this?

nat (inside,inside) source static "object for 192.168.222.30" "object for 199.204.50.2"

with also the command:

same-security-traffic permit intra-interface

Let me know if this helps you.

Inside Access to NAT IP on outside interface

JohnTylerPearce — Sat, 30 Jun 2012 11:09:46 GMT

Basically, we have a vmview connection server that has a dns name of vmview.companyx.com. The internal DNS for this site points to a public IP which is on an IP in the outside interface network range. From what you guys have suggested, and what I have researched, I believe I need to implement DNS re-write/Doctoring. I'm trying to find some good examples of syntax about this command on 8.4 code.

Inside Access to NAT IP on outside interface

Karsten Iwen — Sat, 30 Jun 2012 15:15:53 GMT

Your case should be similar to the following:

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/nat_objects.html#wp1140517

It's really that easy, that you just add the parameter "dns".

Inside Access to NAT IP on outside interface

JohnTylerPearce — Mon, 02 Jul 2012 18:03:52 GMT

Hey, thanks for the information guys. This worked but did not fix the problem. The internal DNS is hq.companyx.com and the external dns is companyx.com. We get the response now from vmview.companyx.com as our internal IP, but the VmView VCS rejects it. From what I heard, this is because it's expecting to get a reponse from an outside connection. From what I was thinking, does the ASA NAT an internal IP, (I have 225.0/24 PATd to outside IP), if the outside IP is on the directly connected subnet of the outside interface?

Inside Access to NAT IP on outside interface

Karsten Iwen — Mon, 02 Jul 2012 19:49:32 GMT

Do I understand you right:

- On the ASA you translate your inside source IPs when you access the DMZ from inside?

- On your VMView-server is some access-controll that only allows access from certain IPs?

If that's the case it would be best to allow the VMview-server to be accessed from the inside-IP-range. Additionally you should exempt the communication from being natted when send from inside to DMZ.

Inside Access to NAT IP on outside interface

mvsheik123 — Mon, 02 Jul 2012 21:06:54 GMT

Hi Jean,

Do you have DNS inspection enabled (with policy-map) while testing with DNS doctoring?

Thx

Inside Access to NAT IP on outside interface

JohnTylerPearce — Mon, 02 Jul 2012 21:29:05 GMT

Yes, we have DNS inspection turned on. I think what I need to work with the VCS server, is that my internal subnet on the inside interface of the ASA (192.168.225.0/24) need to access a NAT'd IP (1.2.3.0/29). The VCS server has an IP address which is in the outside interface IP range.

The internal clients are having issues connecting to 1.2.3.2 which is the VCS server.

192.168.225.x (Inside Interface Range)<=====>(Outside Interface Range)1.2.3.2/29

The internal hosts cannot connect to 1.2.3.2/29.

I didn't know if this was some security feature that didn't allow internal hosts to access the outside internface IP range or not. Currently all internal hosts are PAT'd to 1.2.3.1 (outside inteface IP)

Inside Access to NAT IP on outside interface

Julio Carvajal — Tue, 03 Jul 2012 03:02:49 GMT

Hello John,

Ok so If the DNS response from the DNS server will show 199.204.50.2 then this is what you need to do 8.4 talking

object network Public_Server

host 199.204.50.2

object network Internal_Server

host 192.168.222.30

nat (inside,inside) source dynamic any interface destination static Public_Server Internal_Server

same-security-traffic permit intra-interface

Rate all the helpful posts!!!

Julio

Inside Access to NAT IP on outside interface

JohnTylerPearce — Tue, 03 Jul 2012 12:15:26 GMT

Thanks, everyone for your help! Nicely done jcarvaja.

Re: Inside Access to NAT IP on outside interface

tanios191 — Thu, 01 Mar 2018 11:42:20 GMT

Hello Julio,

I have one question regarding this I have a server that has an IP private 10.0.0.20/24 and is published on public IP X.X.X.X

I have an ASA 5516

how can I make users able to access server on both private and public IP in the same time

I have tried it for example nat(servers-zone,outside) users are able to access only on internal IP but not on public IP

I have tried nat(servers-zone,any) users are able to access only on public IP internal IP doesn't work anymore

Kindly assist please

Regards,