Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
546
Views
0
Helpful
1
Replies

Access Current Server using External SNAT IP

Ricardo Duarte
Level 1
Level 1

‎12-09-2012 12:23 PM - edited ‎03-11-2019 05:35 PM

Hi there,

I have an ASA 5520 with a DMZ with private addresses that I SNAT to my outside network.

From inside the DMZ I can reach servers by both the internal private IP and the public IP, except if the IP is from the server trying to connect.

So, say I have server1 and server2. I can connect from server1 to server 2 with both public and private, but can't connect from server1 to server1' using the public IP.

ASA logs show that packets are being denied due to land attack.

DNS doctoring is not an option for me.

Is there a way to fix this?

Thanks.

Labels:
0 Helpful
1 Reply 1

Jennifer Halim
Cisco Employee
Cisco Employee

‎12-09-2012 11:00 PM

When you are trying to access the server with its own ip address, the ASA will detect that, and will report that as the Land Attack, ie: accessing the host with its own ip address.

Since the translation is being configured on the ASA, the ASA knows that the private ip of the server is trying to access its own public ip address, hence will deny that traffic.

I would suggest that if you need to access the server with its own ip address, you would need to configure it to access its private ip address instead of the public IP. Or access its loopback address, which is normally 127.0.0.1

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card