Access issue with different security level

S891 · ‎06-18-2013

Hi,

I am facing an issue trying to understand the traffic flow on FWSM, hopefully someone can help here.

We have a Web Server which is on our private network. We are also allowing access to it from Internet. There are two DNS entries, one for local and one for public. There is a “static” statement on Firewall which is doing translation of Public (outside) to Private (Inside). The “static” NAT is defined for OUTSIDE to INSIDE interface. It is working fine.

Now the problem is, when the internal user tries to use the external URL it gets no response. Basically the traffic is initiated from INSIDE and it goes to OUTSIDE where it is NATTED and then there is no response. Since these interfaces cannot be on same security level the command “same-security-traffic permit {inter-interface | intra-interface}” cannot be used. The ACLs are permitting on both sides.

Any suggestions how to achieve this?

Jouni Forss · ‎06-18-2013

Hi,

By default you cant connect to a public IP address that is used as a NAT IP address on some other interface than where your actual connecting hosts are located at. In this case the users are located behind INSIDE while the actual NAT IP address is located on OUTSIDE.

You have a few options to access a server from your network behind the firewall with the public URL.

If you have an internal DNS server then you simply configure it to reply with the local IP address of the server
If you are using public DNS server then you need to add the "dns" parameter at the end of the "static" command so that the firewall can modify the DNS reply from the public DNS server before it reaches the actual host. The host will then receive a DNS reply pointing to the local IP address of the server
If you are using local DNS server and dont want to modify the configurations to refer to the local IP address instead of the public IP address then you will have to configure NAT translation to also translate the server to the public IP address towards the local network

For the last setup you would basicly would have a basic NAT configuration something like this

global (outside) 1 interface

nat (inside) 1 10.10.10.0 255.255.255.0

Of the below configuration the first line enable Dynamic PAT for the LAN users to the "inside" IP address of the firewall. This will make sure that the traffic flow correctly in the special NAT setup we are doing.

The second configuration line configured the local server IP address to translate to the public IP address also towards the local network

The last command enable the traffic to enter and leave the same interface

global (inside) 1 interface

static (inside,inside) netmask 255.255.255.255

same-security-traffic permit intra-interface

Hope this helps

Please do remember to mark the reply as the correct answer if it answered your question.

- Jouni

S891 · ‎06-18-2013

Sorry, I did not get it. Are you suggesting to aply both sets of commands? Do I need to include all my Local networks in thhs nat (inside) ?

Jouni Forss · ‎06-18-2013

Hi,

The exact configuration format depends on your current configurations which I have not seen.

The basic idea is to configure source address translation (Dynamic PAT) that uses the local interfaces IP address as the PAT address. This will ensure the traffic gets forwarded back to the firewall correctly when the server replys.

The destination NAT is handled with the "static" configuration mentioned.

The Dynamic PAT configuration really depdends on your environment and its networks and current "global" and "nat" configurations on the firewall.

- Jouni