12-19-2011 08:55 PM - edited 03-11-2019 03:03 PM
Hi,
I have one segment below to the Firewall i.e LAN-> 192.168.1.0/24 from this segment I have one server 192.168.1.2 is translating to suppose 1.2.3.4/32 and I have one more server that is DNS server with translating with same IP 1.2.3.4.
Now my problem is if I want to access the 192.168.1.2 the server from the same segment it should have to be access from outside (suppose traffic initiate from 192.168.1.0/24, request need have to go outside and come back 192.168.1.2 wiht translation or anything no problem)
Please help me on same.
Thanks,
Abhinay
Solved! Go to Solution.
12-20-2011 04:35 AM
Abhinay,
Can you please describe this in more brief?
You've two servers in your network 192.168.1.0/24.
And you want to translate both of them to 1.2.3.4? Am i right in understanding this?
Do you want to access this web-server 192.168.1.2 using its translated ip address 1.2.3.4 from the inside network "192.168.1.0/24"?
If yes,
Then think about this .
1. You initiate a packet from a Client 192.168.1.10 to abc.com.
2. Your Local DNS server resolves it to 1.2.3.4 and provides this ip address to the Client.
3. Now 192.168.1.10 initiates a packet to 1.2.3.4 and sends it to the ASA , as ASA is default gateway of this Client.
4. ASA does routing lookup and has a route for 0.0.0.0 0.0.0.0 pointing on outside, so as per ASA this destination ip address 1.2.3.4 is on the outside interface.
5. After routing lookup ASA finds that this ip address 1.2.3.4 on outside is translated to 192.168.1.2 on inside and should go back to inside network.
6. ASA cannot allow this , as this same packet tries to go from inside to outside and again back to inside.
So we can do hair-pinning in this solution.
static (inside,inside) 1.2.3.4 192.168.1.2 netmask 255.255.255.255
This gives ASA an xlate on the inside interface and if ASA receives a packet on the inside interface for 1.2.3.4 ip address, ASA u-turns that packet (by default not allowed) back to the inside network and sends it to the 192.168.1.2.
Please check this
Let me know if you've any further doubts.
Puneet
12-19-2011 09:00 PM
192.168.1.2 --> web server
12-20-2011 04:35 AM
Abhinay,
Can you please describe this in more brief?
You've two servers in your network 192.168.1.0/24.
And you want to translate both of them to 1.2.3.4? Am i right in understanding this?
Do you want to access this web-server 192.168.1.2 using its translated ip address 1.2.3.4 from the inside network "192.168.1.0/24"?
If yes,
Then think about this .
1. You initiate a packet from a Client 192.168.1.10 to abc.com.
2. Your Local DNS server resolves it to 1.2.3.4 and provides this ip address to the Client.
3. Now 192.168.1.10 initiates a packet to 1.2.3.4 and sends it to the ASA , as ASA is default gateway of this Client.
4. ASA does routing lookup and has a route for 0.0.0.0 0.0.0.0 pointing on outside, so as per ASA this destination ip address 1.2.3.4 is on the outside interface.
5. After routing lookup ASA finds that this ip address 1.2.3.4 on outside is translated to 192.168.1.2 on inside and should go back to inside network.
6. ASA cannot allow this , as this same packet tries to go from inside to outside and again back to inside.
So we can do hair-pinning in this solution.
static (inside,inside) 1.2.3.4 192.168.1.2 netmask 255.255.255.255
This gives ASA an xlate on the inside interface and if ASA receives a packet on the inside interface for 1.2.3.4 ip address, ASA u-turns that packet (by default not allowed) back to the inside network and sends it to the 192.168.1.2.
Please check this
Let me know if you've any further doubts.
Puneet
12-26-2011 02:16 AM
Excellent thank a lot... its works...
12-26-2011 02:26 AM
Also when I was trying to do some research in same thing that is Land attack.
Static (in,in) also can mitigate this issue that's my observation if need corrections please let me know.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide