Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
666
Views
5
Helpful
9
Replies

asa 5506 / 9.16(3)3 enable talk from inside to outside IP

petris001
Level 1
Level 1

‎06-30-2022 01:41 PM

HI folks,

from external IP 1.1.1.1 (DNS name alice.bob, asa iface outside)  portforward 80/443 tcp to internal webserver IP 10.10.10.10/24 (asa iface inside 10.10.10.1). All work properly. Now , how can I enable conn from IP 10.10.10.100/24 on to http://alice.bob ? How can I enable conn from lan on inside iface to redirected tcp port on external iface ?

0 Helpful
9 Replies 9

MHM Cisco World
VIP
VIP

‎06-30-2022 02:42 PM

If i understand correctly the PAT is bidirectional, but always the connection initiate from outside clinet to server.

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame

‎07-01-2022 12:04 AM 

ow can I enable conn from IP 10.10.10.100/24 on to http://alice.bob ? How can I enable conn from lan on inside iface to redirected tcp port on external iface ?

if the Alice. bob is locally residing (punch hole to DNS) by adding A host record, so Local Traffic will be directed to the web server ?

 

or am I missing something here?

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

petris001
Level 1
Level 1
In response to balaji.bandi

‎07-01-2022 12:56 AM

topology looks like this :

 

               outside  inside
client1  ------ asa ----- switch -----  webserver

                                         |

                                         ---------- client2

DNS record alice.bob is for IP on outsiide (left) asa iface

 

client1 is somewhere in inet and open http://alice.bob , asa correctly forward conn to webserver

client2 can open local webserver via IP  but can't open http://alice.bob

 

log from asa :

 

%ASA-6-110002: Failed to locate egress interface for TCP from inside:10.10.10.100/22651 to alice.bob/80

 

 

config :

interface GigabitEthernet1/1
nameif outside
security-level 0
ip address 1.1.1.1

 


interface GigabitEthernet1/2.252
vlan 252
nameif inside
security-level 100
ip address 10.10.10.1 255.255.255.0

 

object network localnet
nat (inside,outside) dynamic interface
object network webserver-01
nat (inside,outside) static interface service tcp www www
object network webserver-02
nat (inside,outside) static interface service tcp https https

 

access-list outside_access_in extended permit tcp any4 object webserver eq www
access-list outside_access_in extended permit tcp any4 object webserver eq https

0 Helpful

petris001
Level 1
Level 1
In response to balaji.bandi

‎07-01-2022 01:04 AM

Fake dns record (alice.bob to local IP address) , make another problems. Correct solution si enable conn from local lan to outside IP and asa send conn back to webserver.

0 Helpful

petris001
Level 1
Level 1
In response to balaji.bandi

‎07-01-2022 04:06 AM

DNS rewrite rule on asa is not applicable, because public IP is natted to different private IP depends on TCP ports.

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to petris001

‎07-01-2022 04:34 AM

you need to hair pining here :

 

example post :

 

https://community.cisco.com/t5/network-security/hairpin-nat-asa5506-x-version-9-8/td-p/3756235

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

MHM Cisco World
VIP
VIP

‎07-01-2022 05:31 AM

for hairpin NAT and different port 

nat(in1,in2) source static client client destination static <server public ip> L4-port1 <server private ip> L4-port2

L4-port1 is L4-port access form outside 

L4-port2 is L4-port use by server "real port".

 

0 Helpful

Aref Alsouqi
VIP
VIP

‎07-01-2022 05:50 AM

If you want the internal users to be able to reach out to the server FQDN via its public IP address then try to add this NAT rule please:

nat (inside,inside) source dynamic <internal subnet object> interface destination static <server public IP> <server private IP>

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card