cancel
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
1985
Views
0
Helpful
2
Replies

Cisco ASA and Internal Hosted Website

nickbarber
Level 1
Level 1

I have a Cisco ASA 8.4. I have an internal website for an application that they use both internal and externally (app.domain.com/app  is 10.0.0.3) The company that hosts their External Website and DNS created a record that points to http://app.domain.com/app to their public ip 1.2.3.4. Externally everything works great I have port forward for 80 working.  The problem is that when the users bring their laptops in to the office they are unable to get to the interanlly hosted website. I think the the firewall is having an issue letting the traffic back in. If i use the internal DNS and create a zone for domain.com with an A record for app.domain.com and point it to 10.0.0.3 the internal address..it works.  Of course when they try to access the external website it does not work. So if create an A record that points to the web hosts address, it kinda of works...parts of the website don't come up. I really think I there is something like a hairpin or u-turn that needs to be done. Oh by the way this is my first real experince with an ASA. The Symantec Gateway they had worked great. I looked in the config and there were no hairpin or crazy rules, just the standard port forward for 80.  Any ideas? I have tried several suggestions i found on the web, but none have worked.

Thanks

Nick

1 Accepted Solution

Accepted Solutions

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

The main problem with such setup (from the ASAs perspective) is usually that the NAT for the server is configured from certain source interface towards some destination interface.

You might for example have this configuration

object network WEB-SERVER

host 10.0.0.3

nat (inside,outside) static interface service 80 80

This would enable connectivity from the behind "outside" interface towards which the translation is configured but not from behind "inside".

I am not sure how different vendor firewalls handle this situation if you say that you only had the original Static PAT configuration towards the external interface.

If you wanted to enable connectivity to the public IP address from your LAN you would have to make a NAT towards the "inside" interface from the "inside" interface. And thats not all. You would also have to configure Dynamic PAT for the source hosts on the LAN behind "inside". The reason for this is that the ASA needs to see the whole TCP conversation between the client/server and since we PAT all the users to the ASA "inside" interface IP address that makes sure that ASA sees the whole conversation between the hosts.

So you could try this configuration on the ASA

object network PUBLIC-IP

host

object network WEB-SERVER

host 10.0.0.3

object network LAN

subnet

nat (inside,inside) 1 source dynamic LAN interface destination static PUBLIC-IP WEB-SERVER

The above configuration would essentially look for connections coming from behind "inside" interface from the source address belonging to LAN to the destination IP address of PUBLIC-IP and proceed to UN-NAT the PUBLIC-IP to WEB-SERVER and PAT the source address to "interface" (inside interface IP address)

You would also perhaps needs to add this command

same-security-traffic permit intra-interface

This enabled the ASA to pass traffic through the same interface that the traffic arrived in. So basically do that Hairpin/U-turn

You can check the current configuration with the command

show run same-security-traffic

Do notice that there is a similiar command with a different parameter at the end (inter-interface vs. intra-interface). So check that you have the correct one.

Hope this helps

Let me know how it goes

- Jouni

View solution in original post

2 Replies 2

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

The main problem with such setup (from the ASAs perspective) is usually that the NAT for the server is configured from certain source interface towards some destination interface.

You might for example have this configuration

object network WEB-SERVER

host 10.0.0.3

nat (inside,outside) static interface service 80 80

This would enable connectivity from the behind "outside" interface towards which the translation is configured but not from behind "inside".

I am not sure how different vendor firewalls handle this situation if you say that you only had the original Static PAT configuration towards the external interface.

If you wanted to enable connectivity to the public IP address from your LAN you would have to make a NAT towards the "inside" interface from the "inside" interface. And thats not all. You would also have to configure Dynamic PAT for the source hosts on the LAN behind "inside". The reason for this is that the ASA needs to see the whole TCP conversation between the client/server and since we PAT all the users to the ASA "inside" interface IP address that makes sure that ASA sees the whole conversation between the hosts.

So you could try this configuration on the ASA

object network PUBLIC-IP

host

object network WEB-SERVER

host 10.0.0.3

object network LAN

subnet

nat (inside,inside) 1 source dynamic LAN interface destination static PUBLIC-IP WEB-SERVER

The above configuration would essentially look for connections coming from behind "inside" interface from the source address belonging to LAN to the destination IP address of PUBLIC-IP and proceed to UN-NAT the PUBLIC-IP to WEB-SERVER and PAT the source address to "interface" (inside interface IP address)

You would also perhaps needs to add this command

same-security-traffic permit intra-interface

This enabled the ASA to pass traffic through the same interface that the traffic arrived in. So basically do that Hairpin/U-turn

You can check the current configuration with the command

show run same-security-traffic

Do notice that there is a similiar command with a different parameter at the end (inter-interface vs. intra-interface). So check that you have the correct one.

Hope this helps

Let me know how it goes

- Jouni

Thanks I REALLY Apperciate the help, I tried this a few minutes ago and it worked like a charm. So glad the forums have awesome people like you!

Review Cisco Networking for a $25 gift card