Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
8665
Views
0
Helpful
8
Replies

Can’t access an external IP on my own firewall from within the LAN network.

H3t eechr de
Level 1
Level 1

‎10-21-2010 03:08 AM - edited ‎03-11-2019 11:58 AM

Hi Everyone,

We are facing an issue for a while now and i do not figure out a solution yet.

Basically we have different customers using the same 5510 firewall. We have created one sub interface for every customer on the inside interface. There are differed NAT rules for every customer all using the same block of public IP addresses on the outside interface. They do not have access to each other’s network so I cannot make any exemption rules between two sub interfaces.

The problem is for all our customers that they cannot communicate with each other over Internet, Email, Applications etc. using the external IP address.

A work around is to use a proxy server, but they do not agree with that. I cannot make exemption rules between sub interfaces for security reasons.

Does anyone know how to deal with this?

Kind Regards,

Jurian

Labels:
0 Helpful
8 Replies 8

Jon Marshall
Hall of Fame
Hall of Fame

‎10-21-2010 04:50 AM 

j.snoeij@nexct.nl
Hi Everyone, 
We are facing an issue for a while now and i do not figure out a solution yet. 
Basically we have different customers using the same 5510 firewall. We have created one sub interface for every customer on the inside interface. There are differed NAT rules for every customer all using the same block of public IP addresses on the outside interface. They do not have access to each other’s network so I cannot make any exemption rules between two sub interfaces. 
The problem is for all our customers that they cannot communicate with each other over Internet, Email, Applications etc. using the external IP address. 
A work around is to use a proxy server, but they do not agree with that. I cannot make exemption rules between sub interfaces for security reasons. 
Does anyone know how to deal with this? 
Kind Regards, 
Jurian

Jurian

You say you cannot make exemption rules between subinterfaces for security reasons but what reasons are they ? It's confusing because even if you could get it to work with public IPs you are still allowing one customer to access another customers network so what is the difference in the security rules for the public IPs compared to subinterfaces ?

I appreciate you don't want to hear this but the solution is to allow access via the subinterfaces and not try and do it via the public IPs which i'm not even sure is possible although someone else may have a solution. You are basically trying to send the traffic to the outside interface and loop it straight back and i can't see why this is any more secure than simply allowing access between subinterfaces ?

Perhaps you could clarify ?

Jon

0 Helpful

H3t eechr de
Level 1
Level 1
In response to Jon Marshall

‎10-21-2010 05:39 AM

Jon,

Thanks for your replay.
You are right, exemption rules it is not really an security issue if you look it in that way.

The thing is, we have a lot of sub interfaces, it’s a lot of work to create exemption rules with the right access rules etc. I was hoping for a magical (fix all) solution ;).

But still, I don’t think I am the only one in a situation like this.

Jurian

0 Helpful

praprama
Cisco Employee
Cisco Employee
In response to H3t eechr de

‎10-21-2010 06:08 AM

Hi Jurian,

Well based on your description all i can understand is you need some kind of U-turning or hairpinning on the ASA.

If you can post a sample of your exact requirement along with a topology then i can tell you if we can implement it that way.

Thanks and Regards,

Prapanch

0 Helpful

H3t eechr de
Level 1
Level 1
In response to praprama

‎10-21-2010 06:56 AM

I have made a simpel topology.

This is how my situation look like..

Preview file
64 KB
0 Helpful

praprama
Cisco Employee
Cisco Employee
In response to H3t eechr de

‎10-21-2010 07:41 AM

Hey,

Alright i get it now.

So, assuming that the sub-interface in the 10.172.126.0/24 network is inside1 and in the 10.172.1220./24 network is inside2, you will need a static in the below format:

static (inside2,inside1) 62.123.123.2 10.172.122.1

So this tells the ASA that any request coming in on the inside1 interface destined to 62.123.123.2, redirect the packet out inside2 interface and also translate the destination IP to 10.172.122.1.

Another thing is if you have an acess-list applied on the inside1 interface in the inbound direction, make sure to permit this traffic. Also, if both inside1 and inside2 have the same security level, you will also need to enable "same-security-traffic permit inter-interface".

Let me know if this helps!!

Thanks and Regards,

Prapanch

0 Helpful

praprama
Cisco Employee
Cisco Employee
In response to H3t eechr de

‎10-22-2010 07:56 AM

Hey Jurian,

Did you try the above out?

Regards,

Prapanch

0 Helpful

jaikpitanyi
Level 1
Level 1
In response to praprama

‎12-18-2012 04:30 PM

Hello Prapanch,

Thank you for that soultion. Can you translate that your NAT solution to NAT in asa version 8.4?

Hopeto hear from you.

Cheers,

J.

0 Helpful

connectone
Level 4
Level 4

‎10-21-2010 07:18 AM

If I am understanding correctly, you have a static NAT statement for traffic to come inbound from exter

nat interface (outside) to inside or DMZ interfaces something like this.

static (dmz,outside) 1.1.1.1 10.10.20.50 netmask 255.255.255.255

Then there is a acl that would allow say port 80 and port 25 traffic into IP address 1.1.1.1 and that works for anyone on the outside of your firewall.  Now you want the same thing to work for anyone on the inside of your firewall.  I think what you are looking for is the UN-NAT feature.

So if you have your outside NAT statment like above, you want the UN-NAT statement.  Lets say that the customer A is the custA interface and the outside represents the external outside interface on the firewall.  Traffic to 1.1.1.1 is destined for custA server for port 80 which is allowed in an ACL you applied to the interface.  if you want to use the 1.1.1.1 IP address for CustB to access CustA the same way as the external, you can do the un-nat like the second example.

static (custA,outside) 1.1.1.1 10.10.20.50 netmask 255.255.255.255
static (CustA,CustB) 1.1.1.1 10.10.20.50 netmask 255.255.255.255

Do this all the time on our ASA firewalls so the people faceing the inside of the firewall can use the same external DNS server to resolve if they are in their corporate office or if they are at home on a different ISP, the IP address the get from a DNS query is the same external IP address and the NAT or UN-NAT takes care of makeing the appropriate changes to move the traffic along.

I would suggest using packet-tracer is a great tool to use on the ASA to see how your rules on the firewall will work on traffic by source and destination IP's and ports.  It will show you if traffic is dropped, NAted, encrypted, allowed etc.

Hope this helps you and not confuses you more..

Frank

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card