Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4040
Views
0
Helpful
3
Replies

asa deny ip spoof interface outside

ashwanipatel1
Level 1
Level 1

‎07-12-2016 11:26 PM - edited ‎03-12-2019 01:01 AM

Hi techies,

I know this has been asked several times, but I haven't found a solid answer yet.  I am using ASA-5520 with code 9.1

My Public WAN pool is 198.90.7.x/24 and the ASA outside interface is 74.200.11.180. I have a website at 198.90.7.195 and when users at corp inside network tries to access the website at 198.90.7.195, they get error.  I think this is because when users goes internet their LAN IP PAT to ASA's outside interface 74.200.11.180 and the Website is hosted on the same ASA on an internal server, the firewall denies the traffic stating "Deny IP Spoof from (74.200.11.180)  to 198.90.7.195 on interface ouside" I tried Same-security-traffic permit intra-interface but that doesn't resolve the U-turning issue.

How can I make users in inside access the website over Public ip?

Diagram and Configs are attached.

Thanks

Config

ciscoasa#      
ciscoasa#
ciscoasa# show run
: Saved
:
ASA Version 9.1(5)
!
hostname ciscoasa

enable password NGvxQfU5cKEVKX.L encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain

ip local pool devpool 10.255.255.1-10.255.255.254 mask 255.255.255.0
ip local pool vpnpool 172.16.80.200-172.16.80.250 mask 255.255.255.0
!
interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address 74.200.11.180 255.255.255.224 standby 74.200.11.181
!
interface GigabitEthernet0/1
 description siteinmotion protected
 nameif inside
 shutdown
 security-level 50
 ip address 172.16.80.1 255.255.255.0 standby 172.16.80.2
!
interface GigabitEthernet0/2
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/2.172
 vlan 172
 nameif INFRA-MIGRATION
 security-level 50
 ip address 172.16.86.1 255.255.255.0
!
interface GigabitEthernet0/2.173
 vlan 173
 nameif NEWINFR
 security-level 50
 ip address 172.16.85.1 255.255.255.0
!
interface GigabitEthernet0/3
 description LAN/STATE Failover Interface
!
interface Management0/0
 management-only
 shutdown
 nameif management
 security-level 100
 ip address *******
!
boot system disk0:/asa915-k8.bin
boot system disk0:/asa825-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
 domain-name ***********
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

object network host_172.16.86.195
 nat (INFRA-MIGRATION,outside) static 198.90.7.195

access-list inside_access_in extended deny ip any4 72.14.160.0 255.255.240.0
access-list inside_access_in extended deny ip any4 66.220.146.0 255.255.254.0
access-list inside_access_in extended deny ip any4 38.111.100.128 255.255.255.192
access-list inside_access_in extended permit ip any4 any4
access-list outside_cryptomap extended permit ip 38.111.101.0 255.255.255.0 192.168.20.0 255.255.252.0
access-list capin extended deny tcp any4 any4 eq ssh

access-list prr-private extended permit ip object mail 10.10.0.0 255.255.0.0
access-list prr-151 extended permit ip 38.111.101.0 255.255.255.0 10.1.0.0 255.255.0.0
access-list RENESYS001V03 standard permit host 38.111.101.75

access-list outside_access_in extended permit tcp any host 172.16.86.195eq https
access-list outside_access_in extended permit tcp any host 172.16.86.195 eq www


access-list outside_access_in extended permit tcp any object TOST_172.16.86.135 object-group 80and21
access-list outside_access_in extended permit tcp any object TOST_172.16.86.136 object-group 80and21


access-list outside_access_in extended permit tcp object dyn_195.160.236.0 object host_172.16.86.253 object-group DM_INLINE_TCP_4
access-list outside_access_in extended permit ip any object C3750G

access-list YOURHOST_access_in extended permit ip any any
access-list capsupra extended permit ip any host 192.168.1.10
access-list capsupra extended permit ip host 192.168.1.10 any
access-list temp extended deny ip any any
access-list outside_cryptomap_1 extended permit ip 172.16.86.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list outside_cryptomap_2 extended permit ip 172.16.86.0 255.255.255.0 172.16.30.0 255.255.255.0
access-list outside_cryptomap_3 extended permit ip object obj-172.16.0.0 192.168.3.0 255.255.255.0
access-list outside_cryptomap_5 extended permit ip 172.16.86.0 255.255.255.0 172.16.30.0 255.255.255.0
access-list outside_cryptomap_6 extended permit ip 172.16.86.0 255.255.255.0 object MISSI-LOCAL
access-list INFRA-MIGRATION_access_in extended permit ip any any
access-list inside_access_in_1 extended deny ip any object-group MAL log
access-list inside_access_in_1 extended permit ip any any
access-list ACL-THROTTLE extended permit ip host 172.16.86.245 any
access-list ACL-THROTTLE extended permit ip any host 172.16.86.245
access-list ACL-THROTTLE extended permit ip host 172.16.86.88 any
access-list ACL-THROTTLE extended permit ip any host 172.16.86.88
access-list ACL-THROTTLE extended permit ip host 172.16.86.216 any
access-list ACL-THROTTLE extended permit ip any host 172.16.86.216
access-list ACL-THROTTLE extended permit ip host 172.16.86.219 any
access-list ACL-THROTTLE extended permit ip any host 172.16.86.219
snmp cpu threshold rising 75% 1
pager lines 24
logging enable
logging timestamp
logging standby
logging emblem
logging buffer-size 16384
logging buffered informational
logging trap warnings
logging asdm informational
logging host inside 172.16.86.201 format emblem
logging permit-hostdown
no logging message 302021
no logging message 302020
flow-export destination inside 172.16.86.225 2055
flow-export destination inside 172.16.86.245 9996
flow-export destination inside 38.111.101.33 2055
flow-export template timeout-rate 1
mtu outside 1500
mtu inside 1500
mtu INFRA-MIGRATION 1500
mtu management 1500
mtu YOURHOST 1500
ip verify reverse-path interface inside
failover
failover lan interface folink GigabitEthernet0/3
failover replication http
failover mac address GigabitEthernet0/0 0000.0000.0001 0000.0000.0002
failover mac address GigabitEthernet0/1 00aa.aaaa.aaa1 00aa.aaaa.aaa2
failover link folink GigabitEthernet0/3
failover interface ip folink 172.254.0.1 255.255.255.0 standby 172.254.0.2
failover ipsec pre-shared-key *****
no monitor-interface management
icmp unreachable rate-limit 1 burst-size 1
icmp permit 172.16.100.0 255.255.255.0 outside
icmp permit 72.0.210.0 255.255.255.192 outside
icmp permit 172.16.0.0 255.255.0.0 inside
asdm image disk0:/asdm-722.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (outside,outside) source static obj-10.255.255.0 obj-10.255.255.0 destination static obj-172.16.70.0 obj-172.16.70.0 no-proxy-arp route-lookup
nat (inside,outside) source static any any destination static obj-172.16.80.0 obj-172.16.80.0
nat (INFRA-MIGRATION,outside) source dynamic any interface
nat (inside,outside) source static obj-172.16.0.0 obj-172.16.0.0 destination static obj-38.111.101.0 obj-38.111.101.0
nat (inside,outside) source static any any destination static obj-172.16.70.0 obj-172.16.70.0
nat (YOURHOST,outside) source dynamic any interface
nat (inside,outside) source static any any destination static supra-ravpn supra-ravpn
nat (inside,inside) source dynamic obj-172.16.0.0 interface destination static host-198.90.7.99 host-172.16.86.99
nat (inside,inside) source dynamic obj-172.16.0.0 interface destination static host-198.90.7.98 host-172.16.86.98
nat (inside,inside) source dynamic obj-172.16.0.0 interface destination static RAJESH_198.90.7.154 RAJESH_172.16.86.134
!

 nat (INFRA-MIGRATION,outside) static 198.90.7.90
object network sa2500

object network host_172.16.86.195
 nat (INFRA-MIGRATION,outside) static 198.90.7.195
object network obns0001v06
 nat (INFRA-MIGRATION,outside) static 198.90.7.106

nat (INFRA-MIGRATION,outside) after-auto source static SS_NEW_LAN NEW_SS_PUBLIC
access-group outside_access_in in interface outside
access-group inside_access_in_1 in interface inside
access-group INFRA-MIGRATION_access_in in interface INFRA-MIGRATION
access-group YOURHOST_access_in in interface YOURHOST
!

!
route outside 0.0.0.0 0.0.0.0 74.200.11.161 1
route inside 172.16.0.0 255.255.0.0 C3750G 1
route outside 172.16.1.0 255.255.255.0 74.200.11.161 1
route outside 172.16.70.0 255.255.255.0 74.200.11.161 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authorization exec LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management


no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps remote-access session-threshold-exceeded
snmp-server enable traps cpu threshold rising
no sysopt connection permit-vpn
service resetoutside



ssh timeout 30
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection statistics host number-of-rate 3
threat-detection statistics port number-of-rate 3
threat-detection statistics protocol number-of-rate 3
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ssl trust-point supra_trustpoint outside
webvpn        
 anyconnect image disk0:/anyconnect-win-2.3.2016-k9.pkg 1
 anyconnect image disk0:/anyconnect-linux-2.3.2016-k9.pkg 7
 anyconnect image disk0:/anyconnect-win-2.3.2016-k9.pkg 8
 anyconnect enable




class-map global-class
 match any
class-map bw-restrict
 match default-inspection-traffic
class-map inspection_default
 match default-inspection-traffic
class-map ips
class-map CM-THROTTLE
 match access-list ACL-THROTTLE
class-map longIdle
 match access-list longIdle
class-map INFRA-MIGRATION-default
 match default-inspection-traffic
class-map flow_export_class
 match any
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map type inspect http http-inspect-map
 parameters
  protocol-violation action drop-connection log
 match req-resp content-type mismatch
  drop-connection log
policy-map global_policy
 class inspection_default
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect netbios
  inspect tftp
  inspect ftp
  inspect dns preset_dns_map
  inspect icmp
  inspect icmp error
 class flow_export_class
  flow-export event-type all destination 172.16.86.245 172.16.86.225
 class longIdle
  set connection timeout idle 3:00:00 dcd
 class global-class
  flow-export event-type all destination 172.16.86.245 172.16.86.225
 class class-default
  user-statistics accounting
  flow-export event-type all destination 172.16.86.245 172.16.86.225
policy-map ips
 class ips
  ips inline fail-open sensor vs0
policy-map bw-throttle
 class bw-restrict
  inspect icmp
  inspect icmp error
policy-map PM-THROTTLE
 class INFRA-MIGRATION-default
  inspect http
  inspect icmp
  inspect icmp error
  inspect sip  
 class CM-THROTTLE
  police input 9000000 4500
  police output 9000000 4500
!
service-policy global_policy global
service-policy ips interface outside
service-policy bw-throttle interface inside
service-policy PM-THROTTLE interface INFRA-MIGRATION
prompt hostname context
no call-home reporting anonymous
hpm topN enable
Cryptochecksum:2b03f8eaf491dec1dbea5754c1c96bf8
: end

Labels:
Preview file
38 KB
0 Helpful
3 Replies 3

Marius Gunnerud
VIP
VIP

‎07-13-2016 12:59 PM

If your DNS requests from the inside network pass through the ASA then you can use DNS rewrite for this as follows.

object network host_172.16.86.195
 nat (INFRA-MIGRATION,outside) static 198.90.7.195 dns

keep in mind that when using this the public IP is rewritten to the NAT private IP so make sure that any access lists permit traffic to the private IP of the server.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

ashwanipatel1
Level 1
Level 1
In response to Marius Gunnerud

‎07-13-2016 04:42 PM

Thanks for your reply Marius.

I did try your suggest to fix DNS doctoring. It doesn't resolve the issue. Kindly have a look at attached Diagram.

0 Helpful

Marius Gunnerud
VIP
VIP
In response to ashwanipatel1

‎07-15-2016 05:48 AM

From the look of your diagram it looks as though the webserver is located on the internet and not behind the ASA? If this is the case then DNS rewrite would not work, and we would need more information about your setup to come up with possible solutions.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card