Re: ASA5505 - Accessing services from inside to outside.

northernlight · ‎01-04-2019

Hi everyone,

I have a web server sits behind an ASA5505, lets say it has the ip 10.0.1.10

I have configured a NAT rule to forward port 80 from the outside interface , for example 54.55.56.57 to this server. it works flawlessly.

However I have observed if I have a pc on the same subnet as this web server, lets say the PC has the ip of 10.0.1.20, it seems the PC wont be connect to the web server if I type in http://54.55.56.57. http://10.0.1.10 works without any issue.

Now I'm curious can I make the PC be able to access the web server's external address if it resides on the same subnet as the server?

Thanks.

Francesco Molino · ‎01-04-2019

Hi

Yes this is possible.

Take a look on this link on section 1 and section 2: https://community.cisco.com/t5/security-documents/dns-doctoring-and-u-turning-on-the-asa-quot-when-and-how-to-use/ta-p/3153693

Section 1 is for DNS-Doctoring (if users are getting DNS resolution from an external DNS) and Section 2 without DNS-Doctoring.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

northernlight · ‎01-05-2019

Hi Francesco,

Thanks for the information but it seems I'm not allowed to section the "Translate the DNS reply for rules" checkbox which is somehow required to make DNS-Doctoring work. Is there something to do with my NAT?

Sheraz.Salim · ‎01-05-2019

kindly please show us your nat rule.

please do not forget to rate.

northernlight · ‎01-05-2019

Here are my NAT rules. Thanks.

vsurresh · ‎01-05-2019

Hello,

Could you please post the output from show run nat?

Francesco Molino · ‎01-06-2019

Can you share please your show run then i can adapt your config.
The object you want to nat is the one called Web-Server?

Also can you share the output of the following command please:

packet-tracer input Lab_Outside_Gateway tcp A.A.A.A 12345 B.B.B.B 443 detail

==> A.A.A.A should be replaced by any inside IP
==> B.B.B.B should be replaced by your public interface IP.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Sheraz.Salim · ‎01-05-2019

since you can not use the DNS. the other solution could be something like this.

object network HOST-OUT
host 54.55.56.57
nat (WAN,Lab_Outside_Gateway) static 10.0.1.21
!
access-list OUT-IN extended permit tcp any host 10.0.1.21 eq 80
access-group OUT-IN in interface outside

if this fulfill your purpose and something you look like this. in that case from your Lab_Outside_Gateway pc and http://54.55.56.57. once this rule is place you can not http 10.0.1.21.

You have to reserve this IP address 10.0.1.21 for the use to this server binded to 54.55.56.57. howerver,
having said that this can be useful if you have a spare public ip address.

please do not forget to rate.

northernlight · ‎01-05-2019

Hi,

Thanks for the NAT tip. However my 54.55.56.57 public IP actually comes from DHCP from ISP. I do not have a static IP at the moment

In this case, Can I bind the host to the outside interface instead of 54.55.56.57 for the NAT rule to work?

Sheraz.Salim · ‎01-05-2019

I think i know what you want. might i can help you. but it will be a different approach.

first of all you tell me. if you sitting inside your network why you want to use the public ip address to access the server. you can easily use the private RFC 1918 addresses. having said that, in your mind you have some thing like this. you want to access this http://54.x.x.x from outside at internet if you not at home or you some where in another country so your server is always access able to you regards if the address from dhcp change.

if you answer this i can guide you.

please do not forget to rate.

vsurresh · ‎01-05-2019

Hi,

Static NAT is used whenever an outside user would like to access a server that sits in your internal network. In this case, traffic traversing from WAN to Lab_Outside_Gateway.

For example, someone on the internet is trying to access the web server by HTTP://54.55.56.57. The packet arrives at the ASA and matches the NAT rule, the packet then translated into the private address and forwarded via the correct interface.

I understand that your question is how to use the public IP when accessing from the internal network. Can't you use the private IP when accessing from inside?

Thanks

However in your case the traffic

northernlight · ‎01-05-2019

Hi, I can use the private IP to access the web server without any issue. It's just being able to access the web server's public address is also required so now I'm still frustrated.

On a side note, Accessing the web server's public address from the internet also works.

Now the culprit being this flow :

Inside =======> outside

PC:10.0.1.20 54.55.56.57

"

Inside <============== "

Web Server:10.0.1.10

doesn't seem to work.

Thanks.

Sheraz.Salim · ‎01-05-2019

if i understand you topology which you draw you should be able to get connected to your web server from internet

go to https://www.browserling.com/

type the address http://54.55.x.x

or do a packet tracer and past the result here

packet tracer input WAN tcp 8.8.8.8 123 10.0.1.10 80 detail

also give us show run access-list

please do not forget to rate.