ā02-09-2014 06:16 PM - edited ā03-11-2019 08:43 PM
I have a Cisco ASA 8.4. I have an internal website for an application that they use both internal and externally (app.domain.com/app is 10.0.0.3) The company that hosts their External Website and DNS created a record that points to http://app.domain.com/app to their public ip 1.2.3.4. Externally everything works great I have port forward for 80 working. The problem is that when the users bring their laptops in to the office they are unable to get to the interanlly hosted website. I think the the firewall is having an issue letting the traffic back in. If i use the internal DNS and create a zone for domain.com with an A record for app.domain.com and point it to 10.0.0.3 the internal address..it works. Of course when they try to access the external website it does not work. So if create an A record that points to the web hosts address, it kinda of works...parts of the website don't come up. I really think I there is something like a hairpin or u-turn that needs to be done. Oh by the way this is my first real experince with an ASA. The Symantec Gateway they had worked great. I looked in the config and there were no hairpin or crazy rules, just the standard port forward for 80. Any ideas? I have tried several suggestions i found on the web, but none have worked.
Thanks
Nick
Solved! Go to Solution.
ā02-10-2014 02:10 AM
Hi,
The main problem with such setup (from the ASAs perspective) is usually that the NAT for the server is configured from certain source interface towards some destination interface.
You might for example have this configuration
object network WEB-SERVER
host 10.0.0.3
nat (inside,outside) static interface service 80 80
This would enable connectivity from the behind "outside" interface towards which the translation is configured but not from behind "inside".
I am not sure how different vendor firewalls handle this situation if you say that you only had the original Static PAT configuration towards the external interface.
If you wanted to enable connectivity to the public IP address from your LAN you would have to make a NAT towards the "inside" interface from the "inside" interface. And thats not all. You would also have to configure Dynamic PAT for the source hosts on the LAN behind "inside". The reason for this is that the ASA needs to see the whole TCP conversation between the client/server and since we PAT all the users to the ASA "inside" interface IP address that makes sure that ASA sees the whole conversation between the hosts.
So you could try this configuration on the ASA
object network PUBLIC-IP
host
object network WEB-SERVER
host 10.0.0.3
object network LAN
subnet
nat (inside,inside) 1 source dynamic LAN interface destination static PUBLIC-IP WEB-SERVER
The above configuration would essentially look for connections coming from behind "inside" interface from the source address belonging to LAN to the destination IP address of PUBLIC-IP and proceed to UN-NAT the PUBLIC-IP to WEB-SERVER and PAT the source address to "interface" (inside interface IP address)
You would also perhaps needs to add this command
same-security-traffic permit intra-interface
This enabled the ASA to pass traffic through the same interface that the traffic arrived in. So basically do that Hairpin/U-turn
You can check the current configuration with the command
show run same-security-traffic
Do notice that there is a similiar command with a different parameter at the end (inter-interface vs. intra-interface). So check that you have the correct one.
Hope this helps
Let me know how it goes
- Jouni
ā02-10-2014 02:10 AM
Hi,
The main problem with such setup (from the ASAs perspective) is usually that the NAT for the server is configured from certain source interface towards some destination interface.
You might for example have this configuration
object network WEB-SERVER
host 10.0.0.3
nat (inside,outside) static interface service 80 80
This would enable connectivity from the behind "outside" interface towards which the translation is configured but not from behind "inside".
I am not sure how different vendor firewalls handle this situation if you say that you only had the original Static PAT configuration towards the external interface.
If you wanted to enable connectivity to the public IP address from your LAN you would have to make a NAT towards the "inside" interface from the "inside" interface. And thats not all. You would also have to configure Dynamic PAT for the source hosts on the LAN behind "inside". The reason for this is that the ASA needs to see the whole TCP conversation between the client/server and since we PAT all the users to the ASA "inside" interface IP address that makes sure that ASA sees the whole conversation between the hosts.
So you could try this configuration on the ASA
object network PUBLIC-IP
host
object network WEB-SERVER
host 10.0.0.3
object network LAN
subnet
nat (inside,inside) 1 source dynamic LAN interface destination static PUBLIC-IP WEB-SERVER
The above configuration would essentially look for connections coming from behind "inside" interface from the source address belonging to LAN to the destination IP address of PUBLIC-IP and proceed to UN-NAT the PUBLIC-IP to WEB-SERVER and PAT the source address to "interface" (inside interface IP address)
You would also perhaps needs to add this command
same-security-traffic permit intra-interface
This enabled the ASA to pass traffic through the same interface that the traffic arrived in. So basically do that Hairpin/U-turn
You can check the current configuration with the command
show run same-security-traffic
Do notice that there is a similiar command with a different parameter at the end (inter-interface vs. intra-interface). So check that you have the correct one.
Hope this helps
Let me know how it goes
- Jouni
ā02-10-2014 07:20 AM
Thanks I REALLY Apperciate the help, I tried this a few minutes ago and it worked like a charm. So glad the forums have awesome people like you!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide