02-26-2013 12:10 PM - edited 03-11-2019 06:06 PM
Hi
We need to make acces on our ASA device from inside network to outside interface.
The situation is next:
We have public external ip address and we need to access it from our inside network.
Can you please tell me if it is possible to do this?
Thank you.
Solved! Go to Solution.
02-26-2013 02:10 PM
static (inside,inside)
global (inside) 1* interface *Assume you are using number one
same-security-traffic permit intra-interface
02-26-2013 12:15 PM
Hi,
Why do you want to access the public IP address specifically?
If we are talking about mangement of the ASA itself then it would be better to use the users ASA "inside" interface IP address for management connections.
Or what is the purpose of this?
By default to my understanding it should be impossible to access the ASAs interface IP address from an source that is behind another interface.
So for example if you had an host behind "inside" interface which wants to connect to the IP address of the ASAs "outside" interface THEN this should be impossible to my knowledge.
- Jouni
02-26-2013 12:26 PM
There is an internal webserver which can be accessed only from outside interface with port forwarding to internal ip.
. And we need to allow acces to it from our inside network using only external ip.
02-26-2013 12:41 PM
A bit of a tricky situation.
Usually this is handled with DNS reply rewrite on the ASA. Though if your public IP address isnt associated with some DNS name it wont work.
Can you share what software version your ASA has?
- Jouni
02-26-2013 12:57 PM
No DNS name... only external IP
ASA version 8.2(1)
02-26-2013 01:07 PM
Hi,
Sadly I am not sure if this is possible in that software.
I got it working on my home ASA5505 but its on software 8.4(5) which has the new NAT configuration format compared to the 8.2.
So I am not really sure if you can configure the same on your current software.
Does your ASA only have "outside" and "inside" interface and the server is located on "inside" interface? Or is there a third interface involved? If the server was behind some "dmz" interface and the users behind "inside" interface then I guess this could be possible in your current software.
- Jouni
02-26-2013 01:17 PM
No... we have only "inside" (with server) and "outside" interfaces, without DMZ
server (LAN) x.x.x.100 - x.x.x.2 inside ASA - y.y.y.58 outside asa - INTERNET
and from x.x.x.x network we need granted access to y.y.y.58 IP
02-26-2013 02:10 PM
static (inside,inside)
global (inside) 1* interface *Assume you are using number one
same-security-traffic permit intra-interface
02-26-2013 05:08 PM
I guess it will works if the server has public IP. But in our situation it has private IP from 192.168.1.0/24 network.
And If I understand correctly this solution, we need to create a rule that allows to translate external IP to internal IP.
02-26-2013 05:12 PM
If i understood this correctly you need to access a server that is avaiable only from the outside and that uses port forwarding to get to an internal server, from an internal host.
The suggested solution will work the way you want it, the public IP is going to be the IP address of the outside interface of the ASA. Don't forget the port-forwarding part.
02-26-2013 05:39 PM
Thx, it works. But also we need to change dynamic rule
Used this manual
02-26-2013 05:50 PM
That's right, the solution is named Hairpinning aka U-turn.
The dynamic rule was the one suggested in my first reply:
global (inside) 1* interface *Assume you are using number one - See more at: https://supportforums.cisco.com/message/3867660#3867660
global (inside) 1* interface *Assume you are using number one - See more at: https://supportforums.cisco.com/message/3867660#3867660
global (inside) 1* interface *Assume you are using number one - See more at: https://supportforums.cisco.com/message/3867660#3867660
global (inside) 1* interface *Assume you are using number one - See more at: https://supportforums.cisco.com/message/3867660#3867660
global (inside) 1* interface *Assume you are using number one - See more at: https://supportforums.cisco.com/message/3867660#3867660
global (inside) 1* interface *Assume you are using number one
02-26-2013 05:55 PM
My mistake.
Thanks so much for help
02-26-2013 06:38 PM
Joe,
Just as a hairpinning followup, would you know if it is possible to:
1)manage via asdm the asa from a workstation on inside lan pointing to the outside interface address? We wish to do this because the outside interface is the one that answers to our public dns name which is used in our ssl cert.
2) ping the outside public interface from the LAN behind,the inside private interface?
I have seen numerous threads on this but have not been able to get either of these to work. I am running 8.2.5 with asdm 711. No matter what I try the packet tracer fails when I attempt to do this
Thanks
Harold
Sent from Cisco Technical Support iPad App
02-26-2013 08:32 PM
Neither of the scenarios you described are going to work because it's a security violation, to try to access the asa's external IP address from an internal host.
There is no way to bypass this.
If you want to manage your asa from the inside just enable the service for the necessary users in that network.
You can add asa's internal IP address to the list of trusted CAs on the manager's computer, that should get rid of the security warning it shows the first time you try to connect.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide