topic Re: from inside to inside in a pix515e in Network Security

from inside to inside in a pix515e

roberto.costantini — Mon, 11 Mar 2019 11:47:42 GMT

hi all i'm experiencing problem in a pix515e

client on inside are natted with a pool of public addresses on outside interface and all works fine but if i try to access inside client with their public address fron another client in inside network with his different pubblic address doesn't work ... idem from dmz to inside ... otherwise from inside to dmz all works fine ... from outside i can access anything

is there any special command to make this ?

thank you

Re: from inside to inside in a pix515e

1cmerchant — Mon, 14 Jan 2008 20:03:40 GMT

If I understand your question correctly, you want IP traffic to enter the Pix and then exit it using the same interface right? If so then the command 'same-security-traffic permit intra-interface' may solve your problem. This command permits communication in and out of the same interface, which is not enabled by default. The only caveat would be that the code must be at least at v7.0x as I don't believe this command existed in the v6.3(5) and previous code.

Re: from inside to inside in a pix515e

roberto.costantini — Mon, 14 Jan 2008 20:25:39 GMT

thank for your response ...

i've tried

pixfirewall(config)# same-security-traffic permit ?

configure mode commands/options:

inter-interface Permit communication between different interfaces with the

same security level

intra-interface Permit communication between VPN peers connected to the same

interface

pixfirewall(config)# same-security-traffic permit in

pixfirewall(config)# same-security-traffic permit inte

pixfirewall(config)# same-security-traffic permit inter-interface

pixfirewall(config)# same-security-traffic permit intra

pixfirewall(config)# same-security-traffic permit intra-interface

pixfirewall(config)#

but it doesn't work enough ! 😞

Re: from inside to inside in a pix515e

vanagon2tdi — Mon, 14 Jan 2008 22:17:54 GMT

Sorry this does not help your post, but I have the same issue.

Internal client trying to get to internal server via host name. The host name gets translated to the public address so it does not work. AHHHHH!

Anyone find any more on this?

Dave

Re: from inside to inside in a pix515e

vanagon2tdi — Mon, 14 Jan 2008 23:15:28 GMT

So what I have figured out is this.

Using the same-security commands allows anyone on the same lan as the address that gets NAT'ed to get to the NAT'd address. Anyone not on that LAN cannot.

User A 10.7.7.20

Server 10.7.7.10=204.50.200.1=site.intweb.com

User B 10.6.6.20

User A can now get to http://site.intweb.com but user B cannot.

Anyone know what can be done here?

Dave

Re: from inside to inside in a pix515e

roberto.costantini — Tue, 15 Jan 2008 12:27:28 GMT

maybe a bug in cisco ios ? 😛

Re: from inside to inside in a pix515e

brian.wilson — Tue, 22 Jan 2008 22:29:25 GMT

I'm having the same problem running 7.0(2) on a PIX 515e. I have a second routed network inside my LAN. The PIX inside interface is the default gateway for the network. When a device on the routed network - 192.168.1.x - tries to access servers on the LAN - 192.168.50.x, the PIX drops the packets. I see it in the logs.

I've tried the same-interface commands but no good. Anyone found anything yet?

Re: from inside to inside in a pix515e

pengfang — Wed, 23 Jan 2008 03:47:40 GMT

Hi all,

Only PIX v7.2 or later supports "hairpinning" for unencrypted traffic,also you probably have to do NAT on the Inside interface. I just drew a diagram and wrote some code, but don't have PIX/ASA to test it, anybody could test the code,please post the result.

If it helps, please rate.

Re: from inside to inside in a pix515e

brian.wilson — Wed, 23 Jan 2008 14:38:26 GMT

Thanks for the help. I had everything except the version. I'll upgrade and that should do it. Thanks again for the help.

Re: from inside to inside in a pix515e

vanagon2tdi — Wed, 23 Jan 2008 17:59:56 GMT

I have two PIX's running in fail over mode with the below config and I still cannot get the hair pinning to work.

Again this is what I am trying to accomplish:

User A 10.7.7.20

Server 10.7.7.27=204.50.200.51=site.intweb.com

User B 10.7.4.20

User A can now get to http://site.intweb.com but user B cannot. User B cannot even ping the public address 204.50.200.51?

PIX-01# sh ver

Cisco PIX Security Appliance Software Version 7.2(3)

interface Ethernet0

nameif Outside

security-level 0

ip address 204.50.200.250 255.255.255.248 standby 204.50.200.251

interface Ethernet1

nameif inside

security-level 100

ip address 4.0.4.4 255.255.255.0 standby 4.0.4.5

access-list 101 extended permit ip any host 204.50.200.51

static (inside,Outside) 204.50.200.51 10.7.7.27 netmask 255.255.255.255 dns

global (Outside) 10 interface

global (inside) 10 interface

nat (inside) 10 0.0.0.0 0.0.0.0

nat (inside) 30 10.7.4.0 255.255.255.0

route inside 10.7.4.0 255.255.255.252 4.0.4.1 1

same-security-traffic permit intra-interface

Am I missing anything?

Dave

Re: from inside to inside in a pix515e

brian.wilson — Wed, 23 Jan 2008 18:09:49 GMT

What happens when you remove - nat (inside) 30 10.7.4.0 255.255.255.0?

There is no matching global statement and the nat 30 line is more specific than the nat 10 line. Doesn't the NAT statement that is more specific apply?

What do the logs say when you try this? Does it say no matching translation?

Re: from inside to inside in a pix515e

vanagon2tdi — Wed, 23 Jan 2008 18:19:10 GMT

No difference if I take it off.

What debugs should I run to watch the NAT translation? Keep in mind this is a live system.

Dave

Re: from inside to inside in a pix515e

brian.wilson — Wed, 23 Jan 2008 18:37:41 GMT

Being a production system, I wouldn't use debug unless it came to that, and then only out-of-hours.

You could set buffer logging to warn -

logging buffered warnings

and then use -

sho logg | inc "ip address of bad box"

to see entries for your specific box only.

I was able to see that my routed network wasn't getting nat'ed at one point because it was logging something about no translation available.

I also used this to see that it was eating the traffic going in.

If that doesn't give enough info set buffer logging to debug and use the same filtered search of the logs.

Re: from inside to inside in a pix515e

vanagon2tdi — Wed, 23 Jan 2008 19:17:39 GMT

Ok so when I do the debug it shows the packets from 10.7.4.1 trying to get to 204.50.209.51, BUT when 10.7.4.1 tries to hit that address it actually goes out the firewall. It is being translated to 204.50.200.250 which is the public that all the others on our network use. If I put in this command:

nat (inside) 20 10.7.4.0 255.255.255.0

which means 10.7.4.1 will be translated to 204.50.200.27 the same as anyone on the 10.7.7.0 network or the same as the web server I am trying to get to (10.7.7.27) then it works.

So basically what we are saying here is that if you use the outside address of your FW as the PAT address for everyone, then you cannot do hairpinning.

Make sense? Comments?

Dave

Re: from inside to inside in a pix515e

pengfang — Wed, 23 Jan 2008 19:42:51 GMT

Hi Dave,

This is a little bit interesting, so why user A can access Server,it should have same behavior with user B (only difference is source IP),right? when u saying

User A 10.7.7.20

Server 10.7.7.27=204.50.200.51=site.intweb.com

User B 10.7.4.20

User A can now get to http://site.intweb.com but user B cannot.

1. Did u put " global (inside) 10 interface " when user A can get to http://site.intweb.com ?

2. If not, that means firewall doesn't do NAT at Inside interface. Can you do the same debug for User A to see if it been PATted to 204.50.200.250 ?

Re: from inside to inside in a pix515e

vanagon2tdi — Wed, 23 Jan 2008 19:56:24 GMT

Yeah sorry my response was a mouthful and hard to understand.

User A is setup to go out as 204.50.200.27

User B is setup to go out as 204.50.200.250 which is also the IP of the Outside interface.

global (Outside) 10 interface

global (Outside) 20 204.50.200.227 netmask 255.255.255.255

global (inside) 10 interface

nat (inside) 20 10.7.7.0 255.255.255.0

nat (inside) 10 0.0.0.0 0.0.0.0

With this config user B cannot get to http://site.intweb.com but A can. This is because he is not going out as the Outside interface of the PIX.

So if I add in this command:

nat (inside) 20 10.7.4.0 255.255.255.0

then it works from the 10.7.4.0 LAN as his new public (nat) is 204.50.200.27

So I think the hairpinning will not work when you are nat'd to the IP of the Outside interface.

To answer question 2. the user A is translated to 204.50.200.27.

Dave

Re: from inside to inside in a pix515e

vanagon2tdi — Wed, 23 Jan 2008 20:43:19 GMT

So I have confirmed that if the users are going out as the public IP of the Outside interface or the PIX then the same-security-traffic permit intra-interface or hair pinning will not work.

Once I changed all the users to go out with a different IP than the Outside interface everyone internal can access the web page.

Hope this helps someone else!

Dave

Re: from inside to inside in a pix515e

pengfang — Wed, 23 Jan 2008 20:49:14 GMT

That is great, in this case , I think "global (inside) 10 interface" is not functioning, if you remove this code, you should get same result.

Re: from inside to inside in a pix515e

vanagon2tdi — Wed, 23 Jan 2008 20:52:23 GMT

Yep removed that line as it is not doing anything.

Dave

Re: from inside to inside in a pix515e

roberto.costantini — Fri, 11 Apr 2008 05:02:43 GMT

hi all, i've upgraded the ios in my pix but i can't arrive to the public natted address from inside interface ...

i've set same-security-traffic permit intra-interface command.

some ideas ?

this is my ver

pixfirewall# show version

Cisco PIX Security Appliance Software Version 8.0(2)

Device Manager Version 6.0(2)

thank you