cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Firewalls

384
Views
0
Helpful
12
Replies
Beginner

ASA5505 - Accessing services from inside to outside.

Hi everyone,

I have a web server sits behind an ASA5505, lets say it has the ip 10.0.1.10

I have configured a NAT rule to forward port 80 from the outside interface , for example 54.55.56.57 to this server. it works flawlessly.

However I have observed if I have a pc on the same subnet as this web server, lets say the PC has the ip of 10.0.1.20, it seems the PC wont be connect to the web server if I type in http://54.55.56.57. http://10.0.1.10 works without any issue.

Now I'm curious can I make the PC be able to access the web server's external address if it resides on the same subnet as the server?

 

Thanks.

12 REPLIES
Highlighted
VIP Advisor

Re: ASA5505 - Accessing services from inside to outside.

Hi

 

Yes this is possible.

Take a look on this link on section 1 and section 2: https://community.cisco.com/t5/security-documents/dns-doctoring-and-u-turning-on-the-asa-quot-when-and-how-to-use/ta-p/3153693

 

Section 1 is for DNS-Doctoring (if users are getting DNS resolution from an external DNS) and Section 2 without DNS-Doctoring.

 


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
Beginner

Re: ASA5505 - Accessing services from inside to outside.

Hi Francesco,

 

Thanks for the information but it seems I'm not allowed to section the "Translate the DNS reply for rules" checkbox which is somehow required to make DNS-Doctoring work. Is there something to do with my NAT?

 

NAT.jpg

Contributor

Re: ASA5505 - Accessing services from inside to outside.

kindly please show us your nat rule.

Beginner

Re: ASA5505 - Accessing services from inside to outside.

Here are my NAT rules. Thanks.

 

Beginner

Re: ASA5505 - Accessing services from inside to outside.

Hello,

 

Could you please post the output from show run nat? 

 

 

VIP Advisor

Re: ASA5505 - Accessing services from inside to outside.

Can you share please your show run then i can adapt your config.
The object you want to nat is the one called Web-Server?

Also can you share the output of the following command please:

packet-tracer input Lab_Outside_Gateway tcp A.A.A.A 12345 B.B.B.B 443 detail

==> A.A.A.A should be replaced by any inside IP
==> B.B.B.B should be replaced by your public interface IP.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
Contributor

Re: ASA5505 - Accessing services from inside to outside.

since you can not use the DNS. the other solution could be something like this.


object network HOST-OUT
 host 54.55.56.57
 nat (WAN,Lab_Outside_Gateway) static 10.0.1.21
!
access-list OUT-IN extended permit tcp any host 10.0.1.21 eq 80
access-group OUT-IN in interface outside

 

 

if this fulfill your purpose and something you look like this. in that case from your Lab_Outside_Gateway pc and http://54.55.56.57.  once this rule is place you can not http 10.0.1.21.



You have to reserve this IP address 10.0.1.21 for the use to this server binded to 54.55.56.57. howerver,
having said that this can be useful if you have a spare public ip address.

Beginner

Re: ASA5505 - Accessing services from inside to outside.

Hi,

Thanks for the NAT tip. However my 54.55.56.57 public IP actually comes from DHCP from ISP. I do not have a static IP at the moment

In this case,  Can I bind the host to the outside interface instead of 54.55.56.57 for the NAT rule to work?

Contributor

Re: ASA5505 - Accessing services from inside to outside.

I think i know what you want. might i can help you. but it will be a different approach.

 

first of all you tell me. if you sitting inside your network why you want to use the public ip address to access the server. you can easily use the private RFC 1918 addresses. having said that, in your mind you have some thing like this. you want to access this http://54.x.x.x from outside at internet if you not at home or you some where in another country so your server is always access able to you regards if the address from dhcp change.

 

if you answer this i can guide you.

Beginner

Re: ASA5505 - Accessing services from inside to outside.

Hi,

 

Static NAT is used whenever an outside user would like to access a server that sits in your internal network. In this case, traffic traversing from WAN to Lab_Outside_Gateway. 

 

For example, someone on the internet is trying to access the web server by HTTP://54.55.56.57. The packet arrives at the ASA and matches the NAT rule, the packet then translated into the private address and forwarded via the correct interface. 

 

I understand that your question is how to use the public IP when accessing from the internal network. Can't you use the private IP when accessing from inside? 

 

Thanks

 

 

However in your case the traffic 

Beginner

Re: ASA5505 - Accessing services from inside to outside.

Hi, I can use the private IP to access the web server without any issue. It's just being able to access the web server's public address is also required so now I'm still frustrated.

 

On a side note, Accessing the web server's public address from the internet also works.

 

Now the culprit being this flow : 

                             

                                       Inside           =======>       outside 

                                   PC:10.0.1.20                        54.55.56.57

                                                                                         "

                                                                                         "

                                        Inside        <==============  "

                             Web Server:10.0.1.10

 

doesn't seem to work.

 

Thanks.

Contributor

Re: ASA5505 - Accessing services from inside to outside.

if i understand you topology which you draw you should be able to get connected to your web server from internet

 

go to https://www.browserling.com/

 

type the address http://54.55.x.x

 

or do a packet tracer and past the result here

packet tracer input WAN tcp 8.8.8.8 123 10.0.1.10 80 detail

also give us show run access-list

CreatePlease to create content
Content for Community-Ad

Blog-Cisco Community Designated VIP Class of 2019