Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1052
Views
0
Helpful
4
Replies

Firewall needs to access server from same segment but from outside..

Go to solution
abhi-adte
Level 1
Level 1

‎12-19-2011 08:55 PM - edited ‎03-11-2019 03:03 PM

Hi,

I have one segment below to the Firewall i.e LAN-> 192.168.1.0/24 from this segment I have one server 192.168.1.2 is translating to suppose 1.2.3.4/32 and I have one more server that is DNS server with translating with same IP 1.2.3.4.

Now my problem is if I want to access the 192.168.1.2 the server from the same segment it should have to be access from outside (suppose traffic initiate from 192.168.1.0/24, request need have to go outside and come back 192.168.1.2 wiht translation or anything no problem)

Please help me on same.

Thanks,

Abhinay

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
puseth
Level 1
Level 1

‎12-20-2011 04:35 AM

Abhinay,

Can you please describe this in more brief?

You've two servers in your network 192.168.1.0/24.

And you want to translate both of them to 1.2.3.4? Am i right in understanding this?

Do you want to access this web-server 192.168.1.2 using its translated ip address 1.2.3.4 from the inside network "192.168.1.0/24"?

If yes,

Then think about this .

1. You initiate a packet from a Client 192.168.1.10 to abc.com.

2. Your Local DNS server resolves it to 1.2.3.4 and provides this ip address to the Client.

3. Now 192.168.1.10 initiates a packet to 1.2.3.4 and sends it to the ASA , as ASA is default gateway of this Client.

4. ASA does routing lookup and has a route for 0.0.0.0 0.0.0.0 pointing on outside, so as per ASA this destination ip         address 1.2.3.4 is on the outside interface.

5. After routing lookup ASA finds that this ip address 1.2.3.4 on outside is translated to 192.168.1.2 on inside and              should go back to inside network.

6. ASA cannot allow this , as this same packet tries to go from inside to outside and again back to inside.

So we can do hair-pinning in this solution.

static (inside,inside) 1.2.3.4 192.168.1.2 netmask 255.255.255.255

This gives ASA an xlate on the inside interface and if ASA receives a packet on the inside interface for 1.2.3.4 ip address, ASA u-turns that packet (by default not allowed) back to the inside network and sends it to the 192.168.1.2.

Please check this

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968d1.shtml#solution2

Let me know if you've any further doubts.

Puneet

View solution in original post

0 Helpful
4 Replies 4

Go to solution
abhi-adte
Level 1
Level 1

‎12-19-2011 09:00 PM

192.168.1.2 --> web server

0 Helpful

Go to solution
puseth
Level 1
Level 1

‎12-20-2011 04:35 AM

Abhinay,

Can you please describe this in more brief?

You've two servers in your network 192.168.1.0/24.

And you want to translate both of them to 1.2.3.4? Am i right in understanding this?

Do you want to access this web-server 192.168.1.2 using its translated ip address 1.2.3.4 from the inside network "192.168.1.0/24"?

If yes,

Then think about this .

1. You initiate a packet from a Client 192.168.1.10 to abc.com.

2. Your Local DNS server resolves it to 1.2.3.4 and provides this ip address to the Client.

3. Now 192.168.1.10 initiates a packet to 1.2.3.4 and sends it to the ASA , as ASA is default gateway of this Client.

4. ASA does routing lookup and has a route for 0.0.0.0 0.0.0.0 pointing on outside, so as per ASA this destination ip         address 1.2.3.4 is on the outside interface.

5. After routing lookup ASA finds that this ip address 1.2.3.4 on outside is translated to 192.168.1.2 on inside and              should go back to inside network.

6. ASA cannot allow this , as this same packet tries to go from inside to outside and again back to inside.

So we can do hair-pinning in this solution.

static (inside,inside) 1.2.3.4 192.168.1.2 netmask 255.255.255.255

This gives ASA an xlate on the inside interface and if ASA receives a packet on the inside interface for 1.2.3.4 ip address, ASA u-turns that packet (by default not allowed) back to the inside network and sends it to the 192.168.1.2.

Please check this

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968d1.shtml#solution2

Let me know if you've any further doubts.

Puneet

0 Helpful

Go to solution
abhi-adte
Level 1
Level 1
In response to puseth

‎12-26-2011 02:16 AM

Excellent thank a lot... its works...

0 Helpful

Go to solution
abhi-adte
Level 1
Level 1
In response to abhi-adte

‎12-26-2011 02:26 AM

Also when I was trying to do some research in same thing that is Land attack.

Static (in,in) also can mitigate this issue that's my observation if need corrections please let me know.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card