I tried freom a different ip

kipper256 · ‎02-12-2017

I’ve been going round in circles for the last few days trying to accomplish this:

I’ve not had much experience with cisco routers, this is a ASA 5510 running 8.2 (old command structure).

In a nutshell I want to translate a LAN request for one of our external ips to the internal webserver (I think this is also called hair pinning).

We have a block of 8 external IP’s

i.i.i.97, 98, 99, 100, 101, 102, 210, 211

Our interface running config is:

interface Ethernet0/0
nameif OUTSIDE
 security-level 0
 ip address 213.106.251.100 255.255.255.248 
!
interface Ethernet0/1
 nameif INSIDE
 security-level 100
 ip address 10.22.16.25 255.255.240.0 
!
interface Ethernet0/2
 no nameif
 security-level 50
 no ip address
!
interface Ethernet0/2.23
 vlan 23
 nameif GuestWireless
 security-level 10
 ip address 172.22.225.1 255.255.255.0 
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address

On the inside I have a server on 10.22.16.34 which I want to expose ports 21, 80, 8000, 8082 to internet clients. However I need internal LAN clients when requesting the external IP i.i.i.98 to be redirected to 10.22.16.34

I've tried to run..

Default dynamic PAT for LAN users to access internet:

global (outside) 1 interface
nat (inside) 1 10.22.16.0 255.255.240.0
nat (inside) 1 172.22.225.0 255.255.255.0

Than Static NAT for server:

static (inside,outside) [PUBLICIP] [INTERNALIP] netmask 255.255.255.255

Enable same security interface traffic:

same-security-traffic permit intra-interface

Nat inside to inside:

static (inside,inside) [PUBLICIP] 10.22.16.0 netmask 255.255.240.0
static (inside,inside) [PUBLICIP] 172.22.225.0 netmask 255.255.255.0

Then:

global (inside) 1 interface

It falls over at

static (inside,inside) [PUBLICIP] 10.22.16.0 netmask 255.255.240.0

With error:

global address overlaps with mask

I would be very grateful for some guidance.

Thank you

Karsten Iwen · ‎02-12-2017

Has the server his own public IP? Then you can use DNS-doctoring instead of using NAT:

static (inside,outside) [PUBLICIP] [INTERNALIP] netmask 255.255.255.255 dns

That could make it much easier.

kipper256 · ‎02-13-2017

Thanks for the reply.

This is not working, the connection times out - being an IP surely there would be no dns lookup?

I think the nat is required if anyone can help?

Karsten Iwen · ‎02-13-2017

> being an IP surely there would be no dns lookup?

no, you now have to access the server by public DNS name. But the DNS doctoring will change the DNS reply to the internal IP and your client can directly connect to the server.

kipper256 · ‎02-13-2017

I don't currently have an external dns name, could this also cause problems with caching? I have users that will frequently access from both sides..

I dont understand why

static (inside,inside) [PUBLICIP] 10.22.16.0 netmask 255.255.240.0

causes

global address overlaps with mask

Karsten Iwen · ‎02-13-2017

The error is there because the netmask doesn't match the PUBLICIP. It should work with

static (inside,inside) [PUBLICIP] [INTERNALIP] netmask 255.255.255.255

kipper256 · ‎02-13-2017

I tried that and it just times out.. I'm stumped

Karsten Iwen · ‎02-13-2017

what is the result of packet tracer:

packet-tracer input inside tcp IP-OF-AN-INTERNAL-PC 1234 PUBLICIP 80

kipper256 · ‎02-13-2017

This is to the server in question

Result of the command: "packet-tracer input inside tcp 10.22.128.34 1234 213.i.i.98 80"

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
static (INSIDE,INSIDE) WorkFolderTest 10.22.128.34 netmask 255.255.255.255
match ip INSIDE host 10.22.128.34 INSIDE any
static translation to WorkFolderTest
translate_hits = 3, untranslate_hits = 520
Additional Information:
NAT divert to egress interface INSIDE
Untranslate WorkFolderTest/0 to 10.22.128.34/0 using netmask 255.255.255.255

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.22.128.0 255.255.240.0 INSIDE

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group INSIDE in interface INSIDE
access-list INSIDE extended permit ip host 10.22.128.34 any log disable
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect http
service-policy global_policy global
Additional Information:

Phase: 6
Type:
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type:
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type:
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: NAT
Subtype:
Result: ALLOW
Config:
static (INSIDE,INSIDE) WorkFolderTest 10.22.128.34 netmask 255.255.255.255
match ip INSIDE host 10.22.128.34 INSIDE any
static translation to WorkFolderTest
translate_hits = 3, untranslate_hits = 520
Additional Information:
Static translate 10.22.128.34/0 to WorkFolderTest/0 using netmask 255.255.255.255

Phase: 10
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (INSIDE,INSIDE) WorkFolderTest 10.22.128.34 netmask 255.255.255.255
match ip INSIDE host 10.22.128.34 INSIDE any
static translation to WorkFolderTest
translate_hits = 3, untranslate_hits = 520
Additional Information:

Phase: 11
Type:
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 12
Type:
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 13
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
static (INSIDE,INSIDE) WorkFolderTest 10.22.128.34 netmask 255.255.255.255
match ip INSIDE host 10.22.128.34 INSIDE any
static translation to WorkFolderTest
translate_hits = 3, untranslate_hits = 520
Additional Information:

Phase: 14
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (INSIDE,INSIDE) WorkFolderTest 10.22.128.34 netmask 255.255.255.255
match ip INSIDE host 10.22.128.34 INSIDE any
static translation to WorkFolderTest
translate_hits = 3, untranslate_hits = 520
Additional Information:

Phase: 15
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 16
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 26732784, packet dispatched to next module

Result:
input-interface: INSIDE
input-status: up
input-line-status: up
output-interface: INSIDE
output-status: up
output-line-status: up
Action: allow

kipper256 · ‎02-13-2017

I tried freom a different ip and receive

Phase: 9
Type: NAT
Subtype:
Result: DROP
Config:
nat (INSIDE) 1 0.0.0.0 0.0.0.0
match ip INSIDE any INSIDE any
dynamic translation to pool 1 (No matching global)
translate_hits = 66, untranslate_hits = 0
Additional Information:

Result:
input-interface: INSIDE
input-status: up
input-line-status: up
output-interface: INSIDE
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Clearly I'm missing something here

Karsten Iwen · ‎02-13-2017

Do you still have the inside global configured?

global (inside) 1 interface

kipper256 · ‎02-13-2017

Excellent - sorted. Thank you

Cisco ASA 5510 IP redirect