cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

7981
Views
0
Helpful
8
Replies
H3t eechr de
Beginner

Can’t access an external IP on my own firewall from within the LAN network.

Hi Everyone,

We are facing an issue for a while now and i do not figure out a solution yet.

Basically we have different customers using the same 5510 firewall. We have created one sub interface for every customer on the inside interface. There are differed NAT rules for every customer all using the same block of public IP addresses on the outside interface. They do not have access to each other’s network so I cannot make any exemption rules between two sub interfaces.

The problem is for all our customers that they cannot communicate with each other over Internet, Email, Applications etc. using the external IP address.

A work around is to use a proxy server, but they do not agree with that. I cannot make exemption rules between sub interfaces for security reasons.

Does anyone know how to deal with this?

Kind Regards,

Jurian

8 REPLIES 8
Jon Marshall
VIP Community Legend

j.snoeij@nexct.nl

Hi Everyone,

We are facing an issue for a while now and i do not figure out a solution yet.

Basically we have different customers using the same 5510 firewall. We have created one sub interface for every customer on the inside interface. There are differed NAT rules for every customer all using the same block of public IP addresses on the outside interface. They do not have access to each other’s network so I cannot make any exemption rules between two sub interfaces.

The problem is for all our customers that they cannot communicate with each other over Internet, Email, Applications etc. using the external IP address.

A work around is to use a proxy server, but they do not agree with that. I cannot make exemption rules between sub interfaces for security reasons.

Does anyone know how to deal with this?

Kind Regards,

Jurian

Jurian

You say you cannot make exemption rules between subinterfaces for security reasons but what reasons are they ? It's confusing because even if you could get it to work with public IPs you are still allowing one customer to access another customers network so what is the difference in the security rules for the public IPs compared to subinterfaces ?

I appreciate you don't want to hear this but the solution is to allow access via the subinterfaces and not try and do it via the public IPs which i'm not even sure is possible although someone else may have a solution. You are basically trying to send the traffic to the outside interface and loop it straight back and i can't see why this is any more secure than simply allowing access between subinterfaces ?

Perhaps you could clarify ?

Jon

Jon,

Thanks for your replay.
You are right, exemption rules it is not really an security issue if you look it in that way.

The thing is, we have a lot of sub interfaces, it’s a lot of work to create exemption rules with the right access rules etc. I was hoping for a magical (fix all) solution ;).

But still, I don’t think I am the only one in a situation like this.

Jurian

Hi Jurian,

Well based on your description all i can understand is you need some kind of U-turning or hairpinning on the ASA.

If you can post a sample of your exact requirement along with a topology then i can tell you if we can implement it that way.

Thanks and Regards,

Prapanch

I have made a simpel topology.

This is how my situation look like..

Hey,

Alright i get it now.

So, assuming that the sub-interface in the 10.172.126.0/24 network is inside1 and in the 10.172.1220./24 network is inside2, you will need a static in the below format:

static (inside2,inside1) 62.123.123.2 10.172.122.1

So this tells the ASA that any request coming in on the inside1 interface destined to 62.123.123.2, redirect the packet out inside2 interface and also translate the destination IP to 10.172.122.1.

Another thing is if you have an acess-list applied on the inside1 interface in the inbound direction, make sure to permit this traffic. Also, if both inside1 and inside2 have the same security level, you will also need to enable "same-security-traffic permit inter-interface".

Let me know if this helps!!

Thanks and Regards,

Prapanch

Hey Jurian,

Did you try the above out?

Regards,

Prapanch

Hello Prapanch,

Thank you for that soultion. Can you translate that your NAT solution to NAT in asa version 8.4?

Hopeto hear from you.

Cheers,

J.

connectone
Enthusiast

If I am understanding correctly, you have a static NAT statement for traffic to come inbound from exter

nat interface (outside) to inside or DMZ interfaces something like this.

static (dmz,outside) 1.1.1.1 10.10.20.50 netmask 255.255.255.255

Then there is a acl that would allow say port 80 and port 25 traffic into IP address 1.1.1.1 and that works for anyone on the outside of your firewall.  Now you want the same thing to work for anyone on the inside of your firewall.  I think what you are looking for is the UN-NAT feature.

So if you have your outside NAT statment like above, you want the UN-NAT statement.  Lets say that the customer A is the custA interface and the outside represents the external outside interface on the firewall.  Traffic to 1.1.1.1 is destined for custA server for port 80 which is allowed in an ACL you applied to the interface.  if you want to use the 1.1.1.1 IP address for CustB to access CustA the same way as the external, you can do the un-nat like the second example.

static (custA,outside) 1.1.1.1 10.10.20.50 netmask 255.255.255.255
static (CustA,CustB) 1.1.1.1 10.10.20.50 netmask 255.255.255.255

Do this all the time on our ASA firewalls so the people faceing the inside of the firewall can use the same external DNS server to resolve if they are in their corporate office or if they are at home on a different ISP, the IP address the get from a DNS query is the same external IP address and the NAT or UN-NAT takes care of makeing the appropriate changes to move the traffic along.

I would suggest using packet-tracer is a great tool to use on the ASA to see how your rules on the firewall will work on traffic by source and destination IP's and ports.  It will show you if traffic is dropped, NAted, encrypted, allowed etc.

Hope this helps you and not confuses you more..

Frank

Create
Recognize Your Peers
Content for Community-Ad