Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1821
Views
0
Helpful
3
Replies

ASA Return-Traffic blocked because of the same IP range?

Go to solution
Mike-Zimmermann
Level 1
Level 1

‎02-25-2019 04:38 AM - edited ‎02-21-2020 08:51 AM

Hi,

 

Is it possible to allow return traffic in on an ASA when the source ip address is from the same ip range like the server you want to contact? So… the ASA has an IP range on the external interface and all the clients get a specific ip address from this range with the help of PAT when they surf the internet for example. But is it possible to access a server which is in the DMZ with a public ip address in the same ip range the clients are? What do I have to configure on the ASA to allow return traffic in? Before you ask... it is not possible to access the server from inside.

 

Thanks in advance!

 

Regards,

 

Mike

1 person had this problem
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rahul Govindan
VIP Alumni
VIP Alumni

‎02-25-2019 05:38 AM

If the NAT rule for the DMZ server to public IP space is hosted on the ASA, then this is not possible by u-turning the traffic on the ASA. The ASA, by default, does not allow traffic sourced from one interface (inside in this case) to hit another interface (outside which proxy arps for your DMZ public ip). No way to turn this off. 

 

Anyway to separate the DMZ or client ip addresses into a different range other than the outside pool?

 

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Sergey Lisitsin
VIP Alumni
VIP Alumni

‎02-25-2019 04:50 AM

Mike,

 

Technically it is possible. What you need though is a host route for the server. So, for example if you have a subnet of 198.200.1.0/24 configured on your outside interface and you have a server with the IP address 198.200.1.34 that resides in the DMZ, then you need to configure a host route for 198.20.1.34 on DMZ interface. Then the server must also have return static route via the ASA's interface in DMZ.

0 Helpful

Go to solution
Rahul Govindan
VIP Alumni
VIP Alumni

‎02-25-2019 05:38 AM

If the NAT rule for the DMZ server to public IP space is hosted on the ASA, then this is not possible by u-turning the traffic on the ASA. The ASA, by default, does not allow traffic sourced from one interface (inside in this case) to hit another interface (outside which proxy arps for your DMZ public ip). No way to turn this off. 

 

Anyway to separate the DMZ or client ip addresses into a different range other than the outside pool?

 

0 Helpful

Go to solution
Mike-Zimmermann
Level 1
Level 1
In response to Rahul Govindan

‎02-25-2019 06:00 AM

Hi,

 

Thanks for your fast reply.

 

We only have one ip range on the outside interface and the server is accessible via one ip of this range with NAT (like Rahul wrote) from outside and the clients get also a public ip address from this range when they access the internet. So there is really no way to allow return traffic from the clients in, except we bring the clients or the server in the DMZ in a new additional ip range? :-(

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card