topic Re: Access in Network Security

Access

ray_stone — Mon, 11 Mar 2019 13:52:43 GMT

Hi, We have ASA 5505 and installed in the Production. Now we want to access the website by using Public IP from Server which is hosted in same server. Exp : The local IP of server is 1.1.1.1 and which is mapped with public IP 2.2.2.2 on ASA FW, now when I try to access same website like http:\\2.2.2.2\xyz then it doesn't open but when i use 1.1.1.1 then it works. I am using same Local Server 1.1.1.1 to open the website by its public IP. The website can be access from outside machine without any issue. Now tell me is it possible??? Thnaks

Re: Access

satish_zanjurne — Fri, 03 Oct 2008 12:58:53 GMT

Hi,

It is possible

Suppose your inside network is 192.168.100.0

then see the configuration below

1. access-list OUTSIDE extended permit tcp any host 2.2.2.2 eq www

2. global (outside) 1 interface

3.nat (inside) 1 192.168.100.0 255.255.255.0

4.Static translation to allow hosts on the inside access to hosts on the dmz.

static (inside,dmz) 192.168.100.0 192.168.100.0 netmask 255.255.255.0

5.The "dns" keyword is added to instruct the security appliance to modify DNS records related to this entry

static (dmz,outside) 2.2.2.2 1.1.1.1 netmask 255.255.255.255 dns

6.access-group OUTSIDE in interface outside

HTH..rate if helpful..

Re: Access

ray_stone — Fri, 03 Oct 2008 13:20:39 GMT

Hi,

Thanks for your reply!!

Well, DMZ not in the scenario as I have already mentioned that all settings have been done and we can access the website from outside by using http://2.2.2.2---mapped----internal Server IP is 1.1.1.1 but when I open the same website http:\\2.2.2.2 on the same server where its hosted (1.1.1.1) then it doesn't work as it works when i use http:\\1.1.1.1. I think it can be done by DNAT but I don't know how to configure. Please advice

Re: Access

ray_stone — Fri, 03 Oct 2008 14:33:59 GMT

Please help!!

Re: Access

suschoud — Fri, 03 Oct 2008 14:34:34 GMT

Here you go :

ADD " DNS " KEYWORD AT THE END OF STTAIC WHICH MAPS 2.2.2.2 TO 1.1.1.1

Exp : The local IP of server is 1.1.1.1 and which is mapped with public IP 2.2.2.2 on ASA FW :

NO STATIC (INSIDE,OUTSIDE) 2.2.2.2 1.1.1.1

STATIC (INSIDE,OUTSIDE) 2.2.2.2 1.1.1.1 DNS

CL XLATE

CL LOCAL

oN SerVEr :

ipconfig/flushdns

Try :

http://2.2.2.2--> should work.

Do rate helpful posts.

Regards,

Sushil

Re: Access

ray_stone — Fri, 03 Oct 2008 15:47:16 GMT

Hi Sushil : Thanks for your reply.

Would it be affect of incoming web traffic from the outside world becoz its in the production. Thanks

Re: Access

suschoud — Fri, 03 Oct 2008 16:27:32 GMT

When you would remove static,incoming traffic to web server would stop.

As soon as you add the static with dns keyword,access would come back up.So,it depends how fast you do the changes.I think you can simply copy and paste the commands in one go.There would be a momentarily disruption of traffic almost unnoticable.

Regards,

Sushil

Re: Access

ray_stone — Fri, 03 Oct 2008 18:46:59 GMT

Thanks!!

Re: Access

mohsin.khan — Tue, 07 Oct 2008 02:44:26 GMT

Hi Sushil,

Can you please explain the reason of using DNS? Why and when do we need to use DNS modification?

Re: Access

abinjola — Tue, 07 Oct 2008 04:44:29 GMT

folks..the "keyword" dns modifies the return FQDN/DNS Reply packet,called DNS Doctrine however here the requester(Ray) mentions this in his issue

"now when I try to access same website like http:\\2.2.2.2\xyz then it doesn't open"

That means he is trying to open it with the IP address ..and it doesn work...how come DNS doctrine comes into picture when he is not sending DNS packet out ?

Ray are you running version higher than 7.2.2 ? if yes, then add these commands

static (inside,inside) 2.2.2.2 1.1.1.1

nat (inside) 1 0 0

global (inside) 1 interface

same-security-traffic permit intra-interface

Re: Access

mohsin.khan — Wed, 08 Oct 2008 02:34:07 GMT

i am sorry to say this, but without explaining the fact of WHY any recommended commands be used, is many a times missing. I don't know how Ray is going to interpret these commands, but to me why would you ask him for static (inside, inside) ... if its a typo, then again without explanation ray is not going to understand. and if its not typo then why must he use this command when he is trying to use 2.2.2.2 as his outside ip address? (i haven't gone higher than 7.0, so asking)

What would the last command do?

Re: Access

abinjola — Wed, 08 Oct 2008 04:13:49 GMT

This is U-turning,

its not typo..static (inside,inside) 2.2.2.2 1.1.1.1.....suggest source and destination both on inside (in simpler terms)