cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


329
Views
0
Helpful
1
Replies
Highlighted
Beginner

Access Current Server using External SNAT IP

Hi there,

I have an ASA 5520 with a DMZ with private addresses that I SNAT to my outside network.

From inside the DMZ I can reach servers by both the internal private IP and the public IP, except if the IP is from the server trying to connect.

So, say I have server1 and server2. I can connect from server1 to server 2 with both public and private, but can't connect from server1 to server1' using the public IP.

ASA logs show that packets are being denied due to land attack.

DNS doctoring is not an option for me.

Is there a way to fix this?

Thanks.

Everyone's tags (2)
1 REPLY 1
Cisco Employee

Access Current Server using External SNAT IP

When you are trying to access the server with its own ip address, the ASA will detect that, and will report that as the Land Attack, ie: accessing the host with its own ip address.

Since the translation is being configured on the ASA, the ASA knows that the private ip of the server is trying to access its own public ip address, hence will deny that traffic.

I would suggest that if you need to access the server with its own ip address, you would need to configure it to access its private ip address instead of the public IP. Or access its loopback address, which is normally 127.0.0.1

CreatePlease to create content
Content for Community-Ad
FusionCharts will render here