Solved: Hello, - Page 2

Computerwiz24 · ‎10-15-2016

Hello,

I have a Cisco ASA 5505 Firewall I need some help with. I have 2 cameras set up on my inside network that I need access to from my outside network. I setup the NAT rules from outside to inside along with the access list to allow traffic. Everything works fine as long as I'm not on my internal network. When I'm on my internal work it doesn't work. I need to set it up so I can use my external IP for both internal and external use. Doing some research I think I need to use hairpinning? I have tried setting it up but not having much luck. Can someone help me with the config needed for hairpinning? I can post my config if needed. Thank you for any help on this issue.

Ajay Saini · ‎03-10-2017

Hello,

Sorry for delay in response. All I suggested is to create 2 twice NAT statements wherein the destination real port is different and mapped port is same. Except the destination real port, NAT statements are exactly same. Let me know if that fits your requirement. The link that I attached talks about same stuff.

The idea is to map the source ip to interface and destination mapping remains same combo. Just the dest port differs. Try to understand the flow here and you will get it.

Let me know if there are any questions.

-

AJ

Computerwiz24 · ‎03-10-2017

No problem on the delay. So for example if my outside ip was x.x.x.x and my inside device was 192.168.1.200 on a 192.168.1.0 255.255.255.0 subnet when im on the internal network using my public IP would my NAT statement look like this?

Nat (inside,inside) source dynamic 192.168.1.0 interface destination static x.x.x.x 192.168.1.200

Thank you

AJ

Ajay Saini · ‎03-11-2017

Yes, and since you need access on 2 destination ports, you can 2 of these statements with 2 different port numbers - one real and other mapped.

nat (inside,inside) source dynamic any interface destination static obj-map obj-real service MAPPED_port REAL_port

nat (inside,inside) source dynamic any interface destination static obj-map obj-real service MAPPED_port1 REAL_port1

'any' will be your inside network 192.168.1.0/x

obj-real = 192.168.1.200

obj-map = x.x.x.x

MAPPED_port = first mapped port on which access is needed

MAPPED_port1 = second port on which access is needed

REAL_port1 - is the actual port on which server is listening

If you dont have a second destination port, you can just add one statement.

HTH

-

AJ

Computerwiz24 · ‎03-11-2017

Here is what i have so far. Still no traffic passing at this point Do you see what im doing wrong?

Thank you

AJ

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0

object network NETWORK_INSIDE
subnet 192.168.1.0 255.255.255.0
object network Garage_Camera
host 192.168.1.200
object network Backyard_Camera
host 192.168.1.201
object service Garage_Cam
service tcp source eq 83 destination eq 83
object service Back_Cam
service tcp source eq 82 destination eq 82
object network interface-outside
host X.X.X.X
object service Garage_Mapped
service tcp source eq 90 destination eq 90

network-object object NETWORK_INSIDE

access-list GarageCamera extended permit tcp any object Garage_Camera eq 83
access-list BackyardCamera extended permit tcp any object Garage_Camera eq 83
access-list BackyardCamera extended permit tcp any object Backyard_Camera eq 82

nat (inside,inside) source dynamic NETWORK_INSIDE interface destination static interface-outside Garage_Camera service Garage_Mapped Garage_Cam

Computerwiz24 · ‎03-12-2017

I got it to work! Below is the NAT statement i ended up using. My only question that i don't understand is why does it work using the real port numbers on the original and translated? I didn't use my mapped port in the NAT statement Either way thank you very much for all the help!!

nat (inside,inside) source dynamic NETWORK_INSIDE interface destination static interface-outside Garage_Camera service Real_GARAGE_CAM Real_GARAGE_CAM
nat (inside,inside) source dynamic NETWORK_INSIDE interface destination static interface-outside Backyard_Camera service Real_Backyard_Camera Real_Backyard_Camera

craig.cordts · ‎11-02-2016

DNS Rewrite / Doctoring might work for this.

From http://packetsneverlie.blogspot.com/2010/08/dns-rewrite.html

DNS Rewrite is a feature of the ASA and PIX that enable the firewall to rewrite DNS A queries when the destination server is located at the same network that the client or, for example, if the public IP address of that server is statically mapped to some DMZ address

Here is another good article from Cisco

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/72273-dns-doctoring-3zones.html

Good luck

Craig

Ajay Saini · ‎11-03-2016

This is what we need here:

While accessing this from internal, we need 2 things:

1. destination translation so that when we hit the public ip, firewall should do a proxy-arp and send traffic back to internal camera real ip

2. source ip mapped to internal interface ip address so that reply packets go back to ASA and hence we dont have asymetric routing.

Remove the (inside,inside) nat statement that you have added and try below (I am taking an example):

real ip of camera - x.x.x.x

mapped ip of camera - y.y.y.y

object network obj-real

host x.x.x.x

object network obj-map

host y.y.y.y

nat (inside,inside) source dynamic any interface destination static obj-map obj-real

Please try this in a downtime and let me know if that works.

HTH

AJ

Hairpinning?