Solved: Accessing Public ips of 'Public Servers' from inside interface.

groupalia · ‎10-31-2012

Hi!

Got an ASA5525-X with 8.6 release. We have an inside interface (10.11.1.0/24) and a DMZ interface (10.254.1.0/24). On that DMZ interface theres an SMTP server; by using the Public server feature in ASDM we created a rule so we have mapped the 10.254.1.29 internal ip to an external ip 217.x.x.x

Everything is fine; working ok, but for several reasons we need to access the public ip 217.x.x.x from an inside ip (10.11.1.10).

I tried to do it by creating an exemption for the dynamic nat; if i don't do that i have a 'deny ip spoof from...' message rolling on my syslogs.

Seems to do the trick.....but only for pings! i ping the public ip from the inside ip, and got the reply from the internal ip on the DMZ. But if i want to telnet port 25 from inside to public; its not working.

thanks!

Xavier

Julio Carvajal · ‎10-31-2012

Hello,

Here is the issue:

input-interface: BACKEND_HOMESYS

output-interface: OUTSIDE

Traffic is not going to the DMZ.

So do the following

Object newtork DMZ_SMTP_Server

host x.x.x.x

Object network DMZ_Public_SMTP

host y.y.y.y

nat (dmz,BACKEND_HOMESYS) 1 source static DMZ_SMTP_Server DMZ_Public_SMTP

Add it and try it, if it still does not work please add the packet-tracer output again.

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Julio Carvajal · ‎10-31-2012

Hello Xavier,

Are you using an internal DNS or external DNS???

I need to know that because we can use the DNS doctoring feature or just a static one to onte translation

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

groupalia · ‎10-31-2012

Hi Julio! glad to meet you again :-)

Im using internal DNS servers.

thanks

Julio Carvajal · ‎10-31-2012

Hello Xavier,

Thanks for the info

Is there a way you could post the following:

packet-tracer input inside tcp inside_host_ip 1025 external_dmz_server_ip 25

I mean all you need is :

Translation from DMZ ( private ip) to inside ( public dmz server IP)

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

groupalia · ‎10-31-2012

sure:

GRPCPDFW01# packet-tracer input backEND_homeSYS tcp 10.11.1.119 1025 217.149.$

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 0.0.0.0 0.0.0.0 OUTSIDE

Phase: 3

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group BACKEND_HOMESYS_access_in in interface BACKEND_HOMESYS

access-list BACKEND_HOMESYS_access_in extended permit ip object GRPCPDCOMMS01 ob

ject-group DM_INLINE_NETWORK_62

object-group network DM_INLINE_NETWORK_62

network-object 10.20.1.0 255.255.255.0

network-object 10.5.1.0 255.255.255.0

network-object object ITALY

network-object object Oficinas

network-object object SPAIN

network-object object ISCSI_Network

network-object object TLV_POOL_1

network-object 0.0.0.0 0.0.0.0

Additional Information:

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: INSPECT

Subtype: inspect-smtp

Result: ALLOW

Config:

class-map inspection_default

match default-inspection-traffic

policy-map global_policy

class inspection_default

inspect esmtp _default_esmtp_map

service-policy global_policy global

Additional Information:

Phase: 6

Type: FOVER

Subtype: standby-update

Result: ALLOW

Config:

Additional Information:

Phase: 7

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (BACKEND_HOMESYS,OUTSIDE) source static BACKEND_HOMESYS BACKEND_HOMESYS dest

ination static DM_INLINE_NETWORK_8 DM_INLINE_NETWORK_8 no-proxy-arp route-lookup

Additional Information:

Static translate 10.11.1.119/1025 to 10.11.1.119/1025

Phase: 8

Type: IDS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 9

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 10

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 470330556, packet dispatched to next module

Result:

input-interface: BACKEND_HOMESYS

input-status: up

input-line-status: up

output-interface: OUTSIDE

output-status: up

output-line-status: up

Action: allow

Julio Carvajal · ‎10-31-2012

Hello,

Here is the issue:

input-interface: BACKEND_HOMESYS

output-interface: OUTSIDE

Traffic is not going to the DMZ.

So do the following

Object newtork DMZ_SMTP_Server

host x.x.x.x

Object network DMZ_Public_SMTP

host y.y.y.y

nat (dmz,BACKEND_HOMESYS) 1 source static DMZ_SMTP_Server DMZ_Public_SMTP

Add it and try it, if it still does not work please add the packet-tracer output again.

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

groupalia · ‎10-31-2012

You're a genius :-)

It works!

thanks another time ;-)

xavier.

Julio Carvajal · ‎10-31-2012

Hello Xavier,

My pleasure to help,

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC