Solved: Accessing a natted public IP from LAN

shijomon scaria · ‎06-30-2013

Dear All,

One of our sever is natted to a public IP and it is accessible form the internet using the public IP.

Is there any way to access the server from the LAN using the Public IP.

Thanks in advance.

Regards,

Shijo.

Jouni Forss · ‎06-30-2013

Hi,

Ok, actually forgot to ask one more question but I'll give an example here.

So you probably have an Dynamic PAT rule on your firewall currently that might look something like this

global (Outside) 1 interface

nat (Inside) 1 10.1.1.0 255.255.255.0

Or something very similiar to the above.

What we need to do next is enable the following configuration

same-security-traffic permit intra-interface

You can check if it has been enabled already with the below command

show run same-security-traffic

What the first command I mention will do is enable traffic to enter and leave the same interface on the ASA. Without this command the connection would fail.

Now, next we will need a translation that might look a bit wierd. We will need to translate the "Inside" server towards the "Inside" interface to the public IP address.

static (Inside,Inside) 89.xxx.xxx.248 10.1.1.xxx netmask 255.255.255.255

This will enable the users to reach the public IP address from behind the "Inside" interface with the public IP address. You probably have a similiar "static" configuration for the server already but for "Inside" to "Outside" and that will only work for hosts that are connecting from the Internet, NOT from the "Inside" of your firewall.

Finally, we will need another NAT rule that might look wierd

global (Inside) 1 interface

What this will do is do Dynamic PAT for the users behind "Inside" when they are connecting to the public IP address for which we did the "Inside" to "Inside" NAT configuration. If we did not add this configuration the connection wouldnt go through correctly.

Essentially what will happen after this when the "Inside" host connects to the public IP address is the following

Host on the network 10.1.1.0/24 connects to the public IP address of 89.xxx.xxx.248
Connection attempt reaches the ASA "Inside" interface
ASA will Untraslate the destination IP address of 89.xxx.xxx.248 to the real IP address of 10.1.1.xxx
ASA will also Translate the source IP address of the host to the IP address "Inside" interface IP address
Connection will arrive on the "Inside" server and look as if its coming from the ASA "Inside" IP address (because of the NAT configurations)
The server will reply to the ASA "Inside" interface IP address and connection forming will go through normally

Hope this helps

Please do remember to mark the reply as the correct answer if it answered your question.

Naturally ask more if needed.

- Jouni

View solution in original post

Jouni Forss · ‎06-30-2013

Hi,

You left out crucial parts of information.

What is your firewall software level?
What are the interface names?
What are the IP addresses? (even if changed for the purpose of the example)

It should be possible but we need additional information to give you an answer

- Jouni

shijomon scaria · ‎06-30-2013

Hi Jouni,

Thanks for the information.

Please find the required information below.

1) What is your firewall software level?

ASA 8.0(2)

2) What are the interface names? -

Inside & Outside

3) What are the IP addresses? (even if changed for the purpose of the example)

Inside IP - 10.1.1.XX

Outside IP - 89.XX.XX.248

Regards,

Shijo.

Jouni Forss · ‎06-30-2013

Hi,

Ok, actually forgot to ask one more question but I'll give an example here.

So you probably have an Dynamic PAT rule on your firewall currently that might look something like this

global (Outside) 1 interface

nat (Inside) 1 10.1.1.0 255.255.255.0

Or something very similiar to the above.

What we need to do next is enable the following configuration

same-security-traffic permit intra-interface

You can check if it has been enabled already with the below command

show run same-security-traffic

What the first command I mention will do is enable traffic to enter and leave the same interface on the ASA. Without this command the connection would fail.

Now, next we will need a translation that might look a bit wierd. We will need to translate the "Inside" server towards the "Inside" interface to the public IP address.

static (Inside,Inside) 89.xxx.xxx.248 10.1.1.xxx netmask 255.255.255.255

This will enable the users to reach the public IP address from behind the "Inside" interface with the public IP address. You probably have a similiar "static" configuration for the server already but for "Inside" to "Outside" and that will only work for hosts that are connecting from the Internet, NOT from the "Inside" of your firewall.

Finally, we will need another NAT rule that might look wierd

global (Inside) 1 interface

What this will do is do Dynamic PAT for the users behind "Inside" when they are connecting to the public IP address for which we did the "Inside" to "Inside" NAT configuration. If we did not add this configuration the connection wouldnt go through correctly.

Essentially what will happen after this when the "Inside" host connects to the public IP address is the following

Host on the network 10.1.1.0/24 connects to the public IP address of 89.xxx.xxx.248
Connection attempt reaches the ASA "Inside" interface
ASA will Untraslate the destination IP address of 89.xxx.xxx.248 to the real IP address of 10.1.1.xxx
ASA will also Translate the source IP address of the host to the IP address "Inside" interface IP address
Connection will arrive on the "Inside" server and look as if its coming from the ASA "Inside" IP address (because of the NAT configurations)
The server will reply to the ASA "Inside" interface IP address and connection forming will go through normally

Hope this helps

Please do remember to mark the reply as the correct answer if it answered your question.

Naturally ask more if needed.

- Jouni

shijomon scaria · ‎06-30-2013

Dear Jouni....!!

You did the magic... Its working fine....

Loads of thanks.

Regards,

Shijo.