Solved: ASA access from inside to outside interface

andryi · ‎02-26-2013

Hi

We need to make acces on our ASA device from inside network to outside interface.

The situation is next:

We have public external ip address and we need to access it from our inside network.

Can you please tell me if it is possible to do this?

Thank you.

jocamare · ‎02-26-2013

static (inside,inside)

global (inside) 1* interface *Assume you are using number one

same-security-traffic permit intra-interface

View solution in original post

Jouni Forss · ‎02-26-2013

Hi,

Why do you want to access the public IP address specifically?

If we are talking about mangement of the ASA itself then it would be better to use the users ASA "inside" interface IP address for management connections.

Or what is the purpose of this?

By default to my understanding it should be impossible to access the ASAs interface IP address from an source that is behind another interface.

So for example if you had an host behind "inside" interface which wants to connect to the IP address of the ASAs "outside" interface THEN this should be impossible to my knowledge.

- Jouni

andryi · ‎02-26-2013

There is an internal webserver which can be accessed only from outside interface with port forwarding to internal ip.

. And we need to allow acces to it from our inside network using only external ip.

Jouni Forss · ‎02-26-2013

A bit of a tricky situation.

Usually this is handled with DNS reply rewrite on the ASA. Though if your public IP address isnt associated with some DNS name it wont work.

Can you share what software version your ASA has?

- Jouni

andryi · ‎02-26-2013

No DNS name... only external IP
ASA version 8.2(1)

Jouni Forss · ‎02-26-2013

Hi,

Sadly I am not sure if this is possible in that software.

I got it working on my home ASA5505 but its on software 8.4(5) which has the new NAT configuration format compared to the 8.2.

So I am not really sure if you can configure the same on your current software.

Does your ASA only have "outside" and "inside" interface and the server is located on "inside" interface? Or is there a third interface involved? If the server was behind some "dmz" interface and the users behind "inside" interface then I guess this could be possible in your current software.

- Jouni

andryi · ‎02-26-2013

No... we have only "inside" (with server) and "outside" interfaces, without DMZ

server (LAN) x.x.x.100 - x.x.x.2 inside ASA - y.y.y.58 outside asa - INTERNET
and from x.x.x.x network we need granted access to y.y.y.58 IP

jocamare · ‎02-26-2013

static (inside,inside)

global (inside) 1* interface *Assume you are using number one

same-security-traffic permit intra-interface

andryi · ‎02-26-2013

I guess it will works if the server has public IP. But in our situation it has private IP from 192.168.1.0/24 network.

And If I understand correctly this solution, we need to create a rule that allows to translate external IP to internal IP.

jocamare · ‎02-26-2013

If i understood this correctly you need to access a server that is avaiable only from the outside and that uses port forwarding to get to an internal server, from an internal host.

The suggested solution will work the way you want it, the public IP is going to be the IP address of the outside interface of the ASA. Don't forget the port-forwarding part.

andryi · ‎02-26-2013

Thx, it works. But also we need to change dynamic rule

Used this manual

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968d1.shtml#solution2

jocamare · ‎02-26-2013

That's right, the solution is named Hairpinning aka U-turn.

The dynamic rule was the one suggested in my first reply:

global (inside) 1* interface *Assume you are using number one - See more at: https://supportforums.cisco.com/message/3867660#3867660

global (inside) 1* interface *Assume you are using number one

andryi · ‎02-26-2013

My mistake.

Thanks so much for help

Report Inappropriate Content · ‎02-26-2013

Joe,

Just as a hairpinning followup, would you know if it is possible to:

1)manage via asdm the asa from a workstation on inside lan pointing to the outside interface address? We wish to do this because the outside interface is the one that answers to our public dns name which is used in our ssl cert.

2) ping the outside public interface from the LAN behind,the inside private interface?

I have seen numerous threads on this but have not been able to get either of these to work. I am running 8.2.5 with asdm 711. No matter what I try the packet tracer fails when I attempt to do this

Thanks
Harold

Sent from Cisco Technical Support iPad App

jocamare · ‎02-26-2013

Neither of the scenarios you described are going to work because it's a security violation, to try to access the asa's external IP address from an internal host.

There is no way to bypass this.

If you want to manage your asa from the inside just enable the service for the necessary users in that network.

You can add asa's internal IP address to the list of trusted CAs on the manager's computer, that should get rid of the security warning it shows the first time you try to connect.