Solved: Access natted public ip address

MarcoM · ‎04-15-2013

Hi all,

on my ASA5510 I have a server with an ip address of 192.168.0.210 natted on public ip 91.xxx.xxx.190 on port tcp 2120.

There is the possibility to reach the server from the inside LAN with a public IP exposed (91.xxx.xxx.190) and not the internal ip (192.168.0.210)?

interface Ethernet0/0

description Outside

nameif OUTSIDE

security-level 0

ip address 91.xxx.xxx.186 255.255.255.248

!

interface Ethernet0/1

description Lan

nameif LAN

security-level 100

ip address 192.168.0.254 255.255.255.0

!

static (LAN,OUTSIDE) 91.xxx.xxx.190 192.168.0.210 netmask 255.255.255.255

access-list Outside_access_in extended permit tcp any host 91.xxx.xxx.190 eq 2120

access-group Outside_access_in in interface OUTSIDE

Thanks in advance.

M

Jouni Forss · ‎04-16-2013

Hi,

I set up one of my ASAs with 8.2(2) software and did the following network setup

Outside network = 192.168.100.0/24
Inside network = 192.168.0.0/24
Inside hosts
- 192.168.0.100
- 192.168.0.200
Inside host with Static NAT
- 192.168.0.100 -> 192.168.100.100

interface Ethernet0/0

nameif outside

security-level 0

ip address 192.168.100.2 255.255.255.0

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 192.168.0.1 255.255.255.0

global (outside) 1 interface

global (inside) 1 interface

nat (inside) 1 192.168.0.0 255.255.255.0

static (inside,outside) 192.168.100.100 192.168.0.100 netmask 255.255.255.255

static (inside,inside) 192.168.100.100 192.168.0.100 netmask 255.255.255.255

When connecting from host 192.168.0.200 to IP 192.168.100.100 the connection goes through and the following connection can be seen on the ASA

ASA# show conn long

Testing with UltraVNC

TCP inside:192.168.0.100/5900 (192.168.100.100/5900) inside:192.168.0.200/49216 (192.168.0.1/40648), flags UIOB, idle 8s, uptime 13s, timeout 1h0m, bytes 33138

As you can see there is connection from the LAN host 192.168.0.200 (NAT to 192.168.0.1) to LAN host 192.168.0.100 (NAT to 192.168.100.100)

And it seems to work

Though this is naturally a simple test setup.

- Jouni

View solution in original post

Jouni Forss · ‎04-15-2013

Hi,

Even though I havent tried this in some time now, to my understanding you will need a couple of NAT configurations and another setting enabled on the ASA for this to work.

First, if you have the default PAT configuration like this

global (outside) 1 interface

nat (inside) 192.168.0.0 255.255.255.0

Then you would probably first need to add this like

global (inside) 1 interface

To reach the server with the public IP address you would probably need this

static (inside,inside) 91.xxx.xxx.190 192.168.0.210 netmask 255.255.255.255

You would also have to make sure that the following configuration is found or issued on your ASA

same-security-traffic permit intra-interface

This will allow the connection to enter and leave the same interface on the ASA. In this case the interface in question would naturally be the "inside" interface.

I will have to say that I am not sure if I remember this right. I rarely have to do this and furthermore I nowadays mostly configure the new NAT format of 8.3+ software levels.

Hope this helps

- Jouni

Jouni Forss · ‎04-16-2013

I can probably lab this myself later on but dont have access to a proper device at the moment to do this.

- Jouni

MarcoM · ‎04-16-2013

Hi Jouni,

thanks for reply.

In my config i have also:

global (outside) 1 interface

nat (inside) 1 192.168.0.0 255.255.255.0

same-security-traffic permit intra-interface

and added:

static (inside,inside) 91.xxx.xxx.190 192.168.0.210 netmask 255.255.255.255

i dont understand this config, I would not create disservices in production :-):

global (inside) 1 interface

My asa version is 8.2(5).

Without global (inside) in logging i have:

portmap translation creation failed for tcp src LAN:192.168.0.60/18045 dst LAN:91.xxx.xxx.190/2120

Thanks.

M

Jouni Forss · ‎04-16-2013

Hi,

Well your original situation and what you are attempting to do is already somethign that the ASA doesnt support by default. The ASA wont allow local users behind the firewall to connect to the NAT IP address that IS NOT facing their interface on the ASA.

Your option is either to configure this kinda of NAT or you would have to configure the public IP addresses directly on the server. (which 99% of the time in these questions isnt possible )

The purpose of the configuration "global (inside) 1 interface" is to provide translation for the source address while the "static" configuration is supposed to translate an internal address to the public IP address for the LAN users.

Other option would be that if your public IP address had a public DNS name then you could add the "dns" parameter at the end of the original "static" configuration (from inside to outside) and this would enable you to connect to the server using the DNS name. This is because the ASA would rewrite the DNS replies so that the host would actually be connecting to the local IP address instead of the public IP address.

The log message you are seeing is to my understanding referring to the situation that you are missing the translation for this traffic. This traffic is both entering the LAN interface and leaving the LAN interface back to the LAN network.

- Jouni

MarcoM · ‎04-16-2013

Hi,

now i have this NAT on ASA:

if i add "global (inside) 1 interface" refers only to static static (inside,inside) 91.xxx.xxx.190 192.168.0.210 netmask 255.255.255.255 ?

Thanks in advance.

M

Jouni Forss · ‎04-16-2013

Hi,

I think it will apply to any traffic that will enter the "inside" interface and attempt to leave through the "inside" interface too.

Normally this is not the case since either some LAN router handles the routing or if hosts are in the same subnet/Vlan they can usually connect to eachother without the help of the gateway.

This is not the optimal setup but I guess its the one setup that can be used to overcome the limitation on the ASA. (About connection from LAN to the outside NAT IP address)

I can test this only later today in my own test ASA. So before that I cant confirm the configuration format.

- Jouni

MarcoM · ‎04-16-2013

Hi,

right, than Jouni if you can test it on your asa test then you let me know?

Thanks.

M

halim.iguer · ‎04-16-2013

Hi,

I suggest to use:

static (LAN,OUTSIDE) 91.xxx.xxx.190 192.168.0.210 netmask 255.255.255.255 to publish to publish the server to the external users.

nat (inside) 1 192.168.0.0 255.255.255.0

global (outside) 1 interface

same-security-traffic permit intra-interface

For source NAT to LAN users when connecting Outside.

nat (inside) 0 access-list NAT0-INSIDE

access-list NAT0-INSIDE extended permit ip Y.Y.Y.Y Z.Z.Z.Z 190 192.168.0.0 255.255.255.0

Y.Y.Y.Y : is the subnet when you trying to access.

MarcoM · ‎04-16-2013

Hi halim,

thanks for reply.

I used this configuration:

static (LAN,OUTSIDE) 91.xxx.xxx.190 192.168.0.210 netmask 255.255.255.255

nat (inside) 1 192.168.0.0 255.255.255.0

global (outside) 1 interface

same-security-traffic permit intra-interface

nat (inside) 0 access-list NAT0-INSIDE

access-list NAT0-INSIDE extended permit ip 192.168.0.0 255.255.255.0 192.168.0.0 255.255.255.0

but does not work. I have something wrong?

Thanks.

M

Jouni Forss · ‎04-16-2013

Hi,

To me the configuration seems a bit odd. If you are willing to try that configuration I would suggest trying out the configuration earlier. Though I used wrong interface names.

global (LAN) 1 interface

provided you have nat (LAN) 1 192.168.0.0 255.255.255.0

static (LAN,LAN) 91.xxx.xxx.190 192.168.0.210 netmask 255.255.255.255

same-security-traffic permit intra-interface

Though if you want to confirm the setting I would have to see the current NAT configuration in CLI format.

- Jouni

MarcoM · ‎04-16-2013

Hi,

yes wrote in CLI correct interface name, summarize your configuration:

global (outside) 1 interface

nat (LAN) 1 192.168.0.0 255.255.255.0

same-security-traffic permit intra-interface

static (LAN,LAN) 91.xxx.xxx.190 192.168.0.210 netmask 255.255.255.255

i dont know only if enable or not this config in production:

global (LAN) 1 interface

Thanks.

M

Jouni Forss · ‎04-16-2013

Hi,

I set up one of my ASAs with 8.2(2) software and did the following network setup

Outside network = 192.168.100.0/24
Inside network = 192.168.0.0/24
Inside hosts
- 192.168.0.100
- 192.168.0.200
Inside host with Static NAT
- 192.168.0.100 -> 192.168.100.100

interface Ethernet0/0

nameif outside

security-level 0

ip address 192.168.100.2 255.255.255.0

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 192.168.0.1 255.255.255.0

global (outside) 1 interface

global (inside) 1 interface

nat (inside) 1 192.168.0.0 255.255.255.0

static (inside,outside) 192.168.100.100 192.168.0.100 netmask 255.255.255.255

static (inside,inside) 192.168.100.100 192.168.0.100 netmask 255.255.255.255

When connecting from host 192.168.0.200 to IP 192.168.100.100 the connection goes through and the following connection can be seen on the ASA

ASA# show conn long

Testing with UltraVNC

TCP inside:192.168.0.100/5900 (192.168.100.100/5900) inside:192.168.0.200/49216 (192.168.0.1/40648), flags UIOB, idle 8s, uptime 13s, timeout 1h0m, bytes 33138

As you can see there is connection from the LAN host 192.168.0.200 (NAT to 192.168.0.1) to LAN host 192.168.0.100 (NAT to 192.168.100.100)

And it seems to work

Though this is naturally a simple test setup.

- Jouni

MarcoM · ‎04-16-2013

Hi Jouni,

i tested in production and working properly. Thanks.

With version 8.4.x you should always use this workaround?

Thanks.

Jouni Forss · ‎04-17-2013

Hi,

This NAT configuration format was used only till the software level 8.2(5)

In 8.3(1) the NAT uses completely different NAT format.

This is the only one I have used/tested in software levels of 8.2(5) or below.

For the new softwares the configuration format would naturally be totally different.

Please mark the question as answered.

Naturally ask more if needed.

- Jouni