Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
823
Views
0
Helpful
3
Replies

Access websites hosted on local web server

Go to solution
Dmitry Golovenkin
Level 1
Level 1

‎05-05-2013 04:12 AM - edited ‎03-11-2019 06:38 PM

Hi there,

I have a Cisco ASA 5505 in my home office which has a few PCs behind it with a linux web server running some websites. I can access the websites from outside no problem (i.e. on my iPhone using a 3G connection). However, I struggle to access the websites from within the network. The ASA gives me this error:

6May 05 201311:52:27
192.168.55.6150420

Failed to locate egress interface for TCP from inside:192.168.55.61/50420 to 86.*.*.*/80

ASA runs version 9. Here is the config bit:

object network denon-server

host 192.168.55.200

access-list outside_access_in extended permit tcp any object denon-server eq www

object network denon-server

nat (any,outside) static interface service tcp www www

Any suggestions?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎05-05-2013 07:34 AM

Hi,

I assume that you are trying to reach the LAN server with the public IP address that the ASA holds and also uses for the above Port Forward / Static PAT configuration?

If this is the situation then I am afraid that with the current configuration that is not possible. The NAT configuration towards Internet is done between probably "inside" and "outside". So "outside" interface holds the public IP address. ASA doesnt let you connect to that "outside" IP address from behind the "inside" IP address. (Or any other interface for that matter)

What you could try to do is configure a NAT that would enable you to use the public IP address of the server even when connecting from the "inside" of ASA.

Try this

object network SERVER-LOCAL

host 192.168.55.200

object network SERVER-PUBLIC

host 86.x.x.x

object network LAN

subnet 192.168.55.0 255.255.255.0

nat (inside,inside) source dynamic LAN interface destination static SERVER-PUBLIC SERVER-LOCAL

Where

  • SERVER-LOCAL = Is the "object" that defines the real IP address of the server
  • SERVER-PUBLIC = Is the "object" that defines the public IP address of the server (that ASA holds on its "outside")
  • LAN = Is the "object" that defines the subnet from where LAN users connect to the server public IP address

Check that the network mask is correct for the LAN and fill in the public IP address.

The actual NAT configuration tells the ASA this

  • When a connection from LAN is coming towards SERVER-PUBLIC then UN-NAT SERVER-PUBLIC to SERVER-LOCAL and NAT LAN to "inside" interface IP address (as defined by the parameter "interface" in the configuration)

This should enable the LAN hosts to use the public IP address to connect to the server. The server though will see the connections coming from the ASA "inside" interface IP address.

Hope this helps

Please remember to mark a correct reply as the correct answer if it did answer. And/or rate helpfull answers

Ask more if needed.

- Jouni

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎05-05-2013 07:34 AM

Hi,

I assume that you are trying to reach the LAN server with the public IP address that the ASA holds and also uses for the above Port Forward / Static PAT configuration?

If this is the situation then I am afraid that with the current configuration that is not possible. The NAT configuration towards Internet is done between probably "inside" and "outside". So "outside" interface holds the public IP address. ASA doesnt let you connect to that "outside" IP address from behind the "inside" IP address. (Or any other interface for that matter)

What you could try to do is configure a NAT that would enable you to use the public IP address of the server even when connecting from the "inside" of ASA.

Try this

object network SERVER-LOCAL

host 192.168.55.200

object network SERVER-PUBLIC

host 86.x.x.x

object network LAN

subnet 192.168.55.0 255.255.255.0

nat (inside,inside) source dynamic LAN interface destination static SERVER-PUBLIC SERVER-LOCAL

Where

  • SERVER-LOCAL = Is the "object" that defines the real IP address of the server
  • SERVER-PUBLIC = Is the "object" that defines the public IP address of the server (that ASA holds on its "outside")
  • LAN = Is the "object" that defines the subnet from where LAN users connect to the server public IP address

Check that the network mask is correct for the LAN and fill in the public IP address.

The actual NAT configuration tells the ASA this

  • When a connection from LAN is coming towards SERVER-PUBLIC then UN-NAT SERVER-PUBLIC to SERVER-LOCAL and NAT LAN to "inside" interface IP address (as defined by the parameter "interface" in the configuration)

This should enable the LAN hosts to use the public IP address to connect to the server. The server though will see the connections coming from the ASA "inside" interface IP address.

Hope this helps

Please remember to mark a correct reply as the correct answer if it did answer. And/or rate helpfull answers

Ask more if needed.

- Jouni

0 Helpful

Go to solution
Dmitry Golovenkin
Level 1
Level 1

‎05-05-2013 10:19 AM

Awesome, thank you very much. This has solved my problem!

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Dmitry Golovenkin

‎05-05-2013 11:17 AM

Hi,

Glad to hear it works now

- Jouni

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card