cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
813
Views
0
Helpful
9
Replies

Accessing a public facing server from an inside port

Scott Morris
Level 1
Level 1

I've been fighting with this for hours and can't seem to make any sense of it. I prefer instructions for ASDM 7.3. I'm learning the CLI, but I'm converting from an RV320 and GUI is more friendly to me at the moment.

My inside interface is 192.168.1.0/24
I have a server on 192.168.1.5
My outside interface is my static public IP, we'll go with 1.2.3.4 for the purposes of this thread.
I've got the gateway set, I can browse the web from the server as well as my test machine that's connected to the same subnet as the server.
My server is running IIS and processes host headers in order to pull up specific "websites." 
I have an access rule that sends tcp/http and tcp/https to 192.168.1.5.
I have a NAT rule for the Host 192.168.1.5 that's Static translated to the outside interface.

All this works great from outside the network. If I'm outside the office I can access my site; however, if I try to hit the site from my internal test machine I can't get to it.

I found this thread:
https://supportforums.cisco.com/discussion/12212751/allow-inside-host-access-inside-server-through-its-outside-ip
At the bottom of the thread you'll see the solution that TAC did for the OP, but I can't seem to figure out how to do that in ASDM

I've seen threads mentioning that I just need to select "Translate DNS replies for the rule" under the advanced section of the NAT rule, but this doesn't work either.

Any tips?

9 Replies 9

Vibhor Amrodia
Cisco Employee
Cisco Employee

Hi,

I think from the internal server , you are trying to access the URL which is still pointing to your Public IP.

You need to create a NAT statement for this to work. It depends on the code you are running on the ASA device.

NOTE:- Also , i think you are using Port Forwarding rather than a static NAT with the interface ip itself.

Please verify.

Thanks and Regards,

Vibhor Amrodia

Thank you for your reply.

If I understand your first question correctly, yes that is right. The URL looks to my public IP, and I am trying to access the URL from an internal computer on the same subnet as the IIS server that hosts the website. From outside it works fine, from inside it does not.

Yes, I'm pretty sure I need a NAT rule to allow this. I have tried many combinations and can't seem to get anything to work properly.

Regarding Port Forwarding, yes that is how I had it setup on the RV320. However, I don't see anything directly called "Port Forwarding" on the ASA, so I assume I'm creating Port Forwarding through the use of NAT and ACL's. The NAT rule I have is a static outside rule from any source interface to the outside destination interface. I hope that answers your question.

Edit:
I've attached an image, so hopefully that helps.

The reason the DNS doctoring solution is not working is most probably that your DNS server is located on the same subnet as the PC you are testing from.  DNS doctoring only works if DNS requests are sent through the ASA.

You would need to add a NAT statement like the following, keep in mind that this is for an ASA version 8.3 or higher.  8.2 or lower requires different syntax.

object network LAN

  subnet 10.10.10.0 255.255.255.0

object network server-private

 host 10.10.10.5 

object network server-public

 host 1.2.3.4

nat (inside,inside) source static LAN LAN destination static server-public server-private

same-security-traffic permit intra-interface

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

Actually, you might need another unused subnet in there to translate you local LAN if the PC and the server are on the same subnet that is.  Otherwise you will be subject to asynchronous routing and the ASA will drop that traffic also...by default.

--
Please remember to select a correct answer and rate helpful posts

Thanks for the reply. I'll give this solution a shot.

Regarding setting up another subnet... I understand that the ASA is more complex and secure than the RV320, but why can't I mimic the behavior of port forwarding on the RV (and any other consumer/soho router)? I just feel like something simple is missing, it usually boils down to the easiest solution vs the most complex. Everything works fine on the RV, so there has to be something simple that I'm missing. 

Am I going about this the wrong way from the start? Perhaps you could give me some instructions of a different way of going about it?

The problem comes from the server and your client machines being on the same subnet.  If you access the server public IP traffic is sent to the ASA.  We configure the ASA to translate that back to the internal IP and send it to the server.  Then the server will see that it is located on the same subnet as the PC that originally sent the packet and then send it directly to the PC instead of going through the ASA.  The PC will see the reply from the server and then send another packet to the public IP address.  This is where the problem is.  The ASA will now see another packet headed toward the server but it did not see the reply from the server for the original packet and therefore think this is a spoofed packet and drop it. 

You can bypass this by configuring TCP bypass on the ASA but this is considered a security risk, and I recommend that you do not do this.

But if you do decide to go this route, this link will provide you the configuration details

http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/conns_tcpstatebypass.html

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

I see, that makes perfect sense. Doing a little research on port forwarding on the RV's (and other similar routers) it seems that the "port forwarding" features are basically doing the TCP bypass. Correct me if I'm wrong there, but based on my symptoms I assume I'm correct.

I definitely want to do things in the most secure fashion, that's why I'm using an ASA. Would simply putting the server on a different subnet make the difference? Is there anything else I would have to do?

Thanks you for your help.

Yes placing the server on a different subnet and on a different interface on the ASA will make this much easier.  Then it is just a matter of NATing the public IP from the inside interface to the DMZ interface.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

Thank you! I'll give it a shot.

Review Cisco Networking for a $25 gift card