- Cisco Community
- Technology and Support
- Security
- Network Security
- ASA Hairpinning Question
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
ASA Hairpinning Question
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-09-2015 04:30 PM - edited 03-11-2019 11:14 PM
I have a webserver in my DMZ that I need to access from the inside network, but need to use the internet IP address to reach it. I can't use DNS rewrite because I'm using Citrix global server load balancing to serve the IP address for DNS, so it needs to access it by the external internet IP address.
I have the same-security-traffic permit intra interface line in the config, and I've tried creating a couple of NATs but none of them seemed to work.
static (inside, inside) 10.115.185.199 10.115.185.199 netmask 255.255.255.255
static (dmz, dmz) 10.115.185.199 10.115.185.199 netmask 255.255.255.255
DMZ server 172.16.100.19
inet IP NATd to DMZ server: 10.115.185.199 (obviously cleansed)
outside interface IP: 10.115.185.212
internal network 10.100.205.0/24
ASA version 8.2(5)
Any help is appreciated! Hope I've given enough information.
Thanks
- Labels:
-
NGFW Firewalls
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-11-2015 02:01 AM
Hi Ryan,
Please try the below configuration:
step1:
static (dmz,outside) 101.115.185.199 172.16.100.19 netmask 255.255.255.0
static (dmz,inside) 101.115.185.199 172.16.100.19 netmask 255.255.255.0
step2:
allow access-list on outside:
access-list out_in permit tcp any host 172.16.100.19
access-group out_in in interface outside
Please let us know if this works for you.
Regards,
Akshay Rastogi
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-13-2015 12:04 PM
Hi, thanks. That did work, and I can now access my web server from the inside with the public IP address. However, I cannot access it from the outside anymore! I'll post my firewall config.
Also, I decided to do this on my lab firewall first, so my IP addresses have changed slightly:
DMZ server 172.16.35.50 (also doing 172.16.35.60)
inet IP NATd to DMZ server: 10.242.145.227 (obviously cleansed)
outside interface IP: 10.242.245.144
internal network 10.80.1.0/24, 10.90.1.0/24
ASA version 8.2(5)
lab-5505asa(config)# sh run
: Saved
:
ASA Version 8.2(5)
!
hostname lab-5505asa
domain-name
enable
names
name 10.36.0.0 OC-Site description OC-Internal
name 10.0.0.0 SD-HQ description PCHS-Internal
dns-guard
!
interface Ethernet0/0
description inside
!
interface Ethernet0/1
description outside
switchport access vlan 2
!
interface Ethernet0/2
description dmz
switchport access vlan 4
speed 100
duplex full
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 10.91.1.2 255.255.255.0
ospf cost 10
!
interface Vlan2
nameif outside
security-level 0
ip address 10.242.145.144 255.255.255.128
ospf cost 10
!
interface Vlan4
nameif DMZ
security-level 50
ip address 172.16.35.1 255.255.255.0
ospf cost 10
!
boot system disk0:/asa825-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns server-group DefaultDNS
domain-name
same-security-traffic permit intra-interface
object-group service DM_INLINE_SERVICE_1
service-object tcp eq domain
service-object udp eq domain
service-object udp eq ntp
object-group service DM_INLINE_TCP_1 tcp
port-object eq www
port-object eq https
object-group network DM_INLINE_NETWORK_1
network-object host 10.90.1.10
network-object host 10.90.1.11
object-group network DM_INLINE_NETWORK_2
network-object host 10.242.128.100
network-object host 10.242.128.101
object-group service DM_INLINE_SERVICE_2
service-object tcp eq domain
service-object udp eq domain
object-group service DM_INLINE_TCP_2 tcp
port-object eq ftp
port-object eq ftp-data
port-object eq www
port-object eq https
port-object eq 3008
port-object eq 3010
port-object eq ssh
object-group network DM_INLINE_NETWORK_3
network-object xxx 255.255.240.0
network-object xxx 255.255.224.0
object-group service DM_INLINE_TCP_4 tcp
port-object eq 3268
port-object eq 3269
port-object eq ldap
port-object eq ldaps
object-group network DM_INLINE_NETWORK_6
network-object host 172.16.35.12
network-object host 172.16.35.13
object-group service DM_INLINE_TCP_5 tcp
port-object eq www
port-object eq https
object-group network DM_INLINE_NETWORK_7
network-object host 172.16.35.12
network-object host 172.16.35.13
object-group network DM_INLINE_NETWORK_8
network-object host 172.16.36.45
network-object host 172.16.36.46
object-group service DM_INLINE_TCP_6 tcp
port-object eq 2598
port-object eq citrix-ica
port-object eq www
object-group service DM_INLINE_TCP_7 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_3 tcp
port-object eq www
port-object eq https
object-group network DM_INLINE_NETWORK_4
network-object host 10.242.145.227
network-object host 10.242.145.228
network-object host 10.242.145.229
network-object host 10.242.145.240
network-object host 10.242.145.241
network-object host 10.242.145.243
object-group network DM_INLINE_NETWORK_5
network-object host 172.16.35.12
network-object host 172.16.35.13
object-group network DM_INLINE_NETWORK_10
network-object host 172.16.36.15
network-object host 172.16.36.42
object-group network xenapp_servers
network-object host 10.90.1.45
network-object host 10.90.1.46
network-object host 10.90.5.54
object-group network xendesktop_servers
network-object host 10.90.1.38
network-object host 10.90.1.54
network-object host 10.90.1.68
network-object host 10.90.1.69
object-group network DM_INLINE_NETWORK_11
network-object host 172.16.36.10
network-object host 172.16.36.42
network-object 10.80.1.0 255.255.255.0
group-object xenapp_servers
group-object xendesktop_servers
object-group network DM_INLINE_NETWORK_9
network-object host 172.16.36.27
network-object host 172.16.36.31
object-group network DM_INLINE_NETWORK_12
network-object host xxx
network-object host xxx
object-group network DM_INLINE_NETWORK_13
network-object 10.90.10.0 255.255.255.0
network-object 192.168.80.0 255.255.255.0
network-object 10.249.0.0 255.255.0.0
object-group network DM_INLINE_NETWORK_14
network-object 10.90.1.0 255.255.255.0
network-object 10.90.5.0 255.255.255.0
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group network DM_INLINE_NETWORK_15
network-object host 10.249.2.15
network-object host 10.249.2.16
network-object host 10.249.2.17
network-object host 10.249.2.21
network-object 10.249.1.0 255.255.255.0
object-group network DM_INLINE_NETWORK_16
network-object host 172.16.35.161
network-object host 172.16.35.162
network-object host 172.16.35.160
object-group service DM_INLINE_SERVICE_4
service-object icmp
service-object tcp-udp eq domain
service-object tcp eq ldap
object-group network DM_INLINE_NETWORK_17
network-object host 172.16.35.10
network-object host 172.16.35.160
object-group network DM_INLINE_NETWORK_18
network-object host 10.242.145.226
network-object host 10.242.145.242
object-group network DM_INLINE_NETWORK_19
network-object host 172.16.35.11
network-object host 172.16.35.159
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object ip
protocol-object icmp
object-group network DM_INLINE_NETWORK_20
network-object host 172.16.35.161
network-object host 172.16.35.162
object-group network DM_INLINE_NETWORK_22
network-object host 172.16.35.161
network-object host 172.16.35.162
network-object host 172.16.35.160
object-group network DM_INLINE_NETWORK_21
network-object host 172.16.35.12
network-object host 172.16.35.13
object-group network DM_INLINE_NETWORK_23
network-object host 172.16.35.50
network-object host 172.16.35.60
access-list outside_access_in extended permit ip any host 10.242.145.144 log disable
access-list outside_access_in extended deny ip object-group DM_INLINE_NETWORK_12 any log disable
access-list outside_access_in extended permit tcp any host 10.242.145.225 eq 3389 log disable
access-list outside_access_in extended permit tcp any object-group DM_INLINE_NETWORK_18 eq smtp log disable
access-list outside_access_in extended permit tcp any object-group DM_INLINE_NETWORK_4 object-group DM_INLINE_TCP_7 log disable
access-list dmz_access_in extended permit ip any any log disable
access-list inside_access_in extended deny ip host 10.90.100.25 any log disable
access-list inside_access_in extended permit ip object-group DM_INLINE_NETWORK_13 any log disable
access-list inside_access_in extended permit tcp host 10.90.1.27 host 172.16.35.11 eq smtp log disable
access-list inside_access_in extended permit tcp host 10.249.2.22 host 172.16.35.159 eq smtp log disable
access-list inside_access_in extended permit ip 10.80.1.0 255.255.255.0 any log disable
access-list inside_access_in extended permit tcp host 10.90.1.33 object-group DM_INLINE_NETWORK_3 eq 3101 log disable
access-list inside_access_in extended permit tcp object-group DM_INLINE_NETWORK_14 any object-group DM_INLINE_TCP_2 log disable
access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_2 object-group DM_INLINE_NETWORK_1 object-group DM_INLINE_NETWORK_2 log disable
access-list inside_access_in extended permit udp host 10.90.1.50 any eq ntp log disable
access-list DMZ_access_in extended permit ip object-group DM_INLINE_NETWORK_21 any log disable
access-list DMZ_access_in extended permit object-group DM_INLINE_PROTOCOL_1 object-group DM_INLINE_NETWORK_20 object-group DM_INLINE_NETWORK_15 log disable
access-list DMZ_access_in extended permit udp object-group DM_INLINE_NETWORK_22 any eq ntp log disable
access-list DMZ_access_in extended permit object-group DM_INLINE_SERVICE_4 object-group DM_INLINE_NETWORK_16 host 10.249.2.100 log disable
access-list DMZ_access_in extended permit ip object-group DM_INLINE_NETWORK_5 object-group DM_INLINE_NETWORK_11 log disable
access-list DMZ_access_in extended permit tcp host 172.16.35.160 host 10.249.2.21 eq smtp log disable
access-list DMZ_access_in extended permit tcp host 172.16.35.10 host 172.16.36.27 eq smtp log disable
access-list DMZ_access_in extended permit object-group DM_INLINE_SERVICE_1 host 172.16.35.10 host 172.16.36.10 log disable
access-list DMZ_access_in extended permit tcp object-group DM_INLINE_NETWORK_19 any eq smtp log disable
access-list DMZ_access_in extended permit tcp object-group DM_INLINE_NETWORK_17 any object-group DM_INLINE_TCP_1 log disable
access-list DMZ_access_in remark rule for cag to owa
access-list DMZ_access_in extended permit tcp host 172.16.35.13 object-group DM_INLINE_NETWORK_9 object-group DM_INLINE_TCP_3 log disable
access-list DMZ_access_in extended permit tcp host 172.16.35.10 host 172.16.36.10 object-group DM_INLINE_TCP_4 log disable
access-list DMZ_access_in extended permit tcp object-group DM_INLINE_NETWORK_6 object-group DM_INLINE_NETWORK_10 object-group DM_INLINE_TCP_5 log disable
access-list DMZ_access_in extended permit tcp object-group DM_INLINE_NETWORK_7 object-group DM_INLINE_NETWORK_8 object-group DM_INLINE_TCP_6 log disable inactive
access-list slow-down extended permit ip 10.90.0.0 255.255.0.0 any
access-list slow-down extended permit ip any 10.90.0.0 255.255.0.0
access-list out_in extended permit tcp any object-group DM_INLINE_NETWORK_23 log disable
access-list inside_nat0_outbound extended permit ip SD-HQ 255.0.0.0 OC-Site 255.255.0.0
pager lines 24
logging enable
logging trap debugging
logging asdm warnings
logging host inside 10.90.1.65 6/1470
logging permit-hostdown
mtu inside 1500
mtu outside 1500
mtu DMZ 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-713.bin
asdm history enable
arp timeout 14400
global (inside) 2 interface
global (outside) 1 interface
global (DMZ) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 10.80.1.0 255.255.255.0
nat (inside) 1 10.90.1.0 255.255.255.0
nat (inside) 1 10.90.5.0 255.255.255.0
nat (inside) 1 192.168.80.0 255.255.255.0
nat (inside) 1 10.249.0.0 255.255.0.0
nat (DMZ) 1 172.16.35.0 255.255.255.0
static (DMZ,outside) 10.242.145.226 172.16.35.10 netmask 255.255.255.255 dns
static (DMZ,outside) 10.242.145.228 172.16.35.55 netmask 255.255.255.255 dns
static (inside,outside) 10.242.145.225 10.90.1.21 netmask 255.255.255.255 dns
static (inside,DMZ) 172.16.36.31 10.90.1.31 netmask 255.255.255.255
static (inside,DMZ) 172.16.36.10 10.90.1.10 netmask 255.255.255.255
static (inside,DMZ) 172.16.36.27 10.90.1.27 netmask 255.255.255.255
static (inside,DMZ) 172.16.36.15 10.90.1.15 netmask 255.255.255.255
static (inside,DMZ) 172.16.36.42 10.90.1.42 netmask 255.255.255.255
static (inside,DMZ) 10.90.1.0 10.90.1.0 netmask 255.255.255.0
static (inside,DMZ) 10.90.5.0 10.90.5.0 netmask 255.255.255.0
static (inside,DMZ) 10.80.1.0 10.80.1.0 netmask 255.255.255.0
static (inside,DMZ) 10.249.2.0 10.249.2.0 netmask 255.255.255.0
static (inside,DMZ) 10.249.1.0 10.249.1.0 netmask 255.255.255.0
static (DMZ,outside) 10.242.145.227 172.16.35.50 netmask 255.255.255.255
static (DMZ,outside) 10.242.145.229 172.16.35.60 netmask 255.255.255.255
static (DMZ,outside) 10.242.145.240 172.16.35.170 netmask 255.255.255.255
static (DMZ,outside) 10.242.145.241 172.16.35.171 netmask 255.255.255.255 dns
static (DMZ,outside) 10.242.145.242 172.16.35.160 netmask 255.255.255.255
static (DMZ,outside) 10.242.145.243 172.16.35.159 netmask 255.255.255.255 dns
static (DMZ,outside) 10.242.145.244 172.16.35.13 netmask 255.255.255.255
static (DMZ,inside) 10.242.145.227 172.16.35.50 netmask 255.255.255.255
static (DMZ,inside) 10.242.145.229 172.16.35.60 netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group out_in in interface outside
access-group DMZ_access_in in interface DMZ
!
router eigrp 200
network SD-HQ 255.0.0.0
passive-interface default
no passive-interface inside
!
route outside 0.0.0.0 0.0.0.0 10.242.145.129 1
route inside SD-HQ 255.0.0.0 10.91.1.1 1
route inside 192.168.80.0 255.255.255.0 10.91.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
http server enable
http SD-HQ 255.0.0.0 inside
http 10.80.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh SD-HQ 255.0.0.0 inside
ssh timeout 60
console timeout 0
threat-detection basic-threat
threat-detection statistics
threat-detection statistics host number-of-rate 3
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 10.90.1.50 source inside prefer
webvpn
username
username
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect netbios
inspect tftp
inspect icmp
inspect pptp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
: end
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-13-2015 08:01 PM
Hi Ryan,
I reviewed the configuration and i could see that you have configured the wrong Access-list on Outside interfaces. This wrong access-list does not have your traffic allowed from outside.
Wrong access-list :
access-list out_in extended permit tcp any object-group DM_INLINE_NETWORK_23 log disable
access-group out_in in interface outside
Correct access-list which needs to be configured:
access-list outside_access_in extended permit tcp any object-group DM_INLINE_NETWORK_4 object-group DM_INLINE_TCP_7 log disable
access-group outside_access_in in interface outside
Please let me know if this works.
Regards,
Akshay Rastogi
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-14-2015 10:57 AM
So, I never saved my config so I just reloaded the firewall to get it back to where it was. After that, all I ended up putting in it were the two nat statements:
static (DMZ,inside) 10.242.145.229 172.16.35.60 netmask 255.255.255.255
static (DMZ,inside) 10.242.145.227 172.16.35.50 netmask 255.255.255.255
and it works. I think the existing ACL you pointed out
access-list outside_access_in extended permit tcp any object-group DM_INLINE_NETWORK_4 object-group DM_INLINE_TCP_7 log disable
object-group service DM_INLINE_TCP_3 tcp
port-object eq www
port-object eq https
object-group network DM_INLINE_NETWORK_4
network-object host 10.242.145.227
network-object host 10.242.145.228
network-object host 10.242.145.229
network-object host 10.242.145.240
network-object host 10.242.145.241
network-object host 10.242.145.243
already covers what I was trying to do so I didn't have to change that at all. Now everything seems to work the way I want it.
I guess beyond this my only question would be what does the line
access-group outside_access_in in interface outside
that you wanted me to put in do? I don't have it in now and it's working, so I'm just curious.
Thanks for all the help!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-14-2015 07:25 PM
Hi Ryan,
I am glad this is working now. That command is a way to call the access-list on an interface. An access-list would not match traffic unless we call it on an specific interface.
Therefore when you configure that command, all source coming from Outside Interface for destination IP mentioned in object 'M_INLINE_NETWORK_4' for destination port mentioned in object group 'object-group DM_INLINE_TCP_7' would match that access-list and required action would be performed.
Please let me know if this answers your queries. If this answers your query, I would request you to select the appropriate response as the solution for this thread.
Regards,
Akshay Rastogi
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide
