Solved: Inside Access to NAT IP on outside interface

JohnTylerPearce · ‎06-29-2012

Hey, we have a server that has an outside IP and an inside IP. It's inside ip is 192.168.222.30/24 and it's outside IP is

199.204.50.2/29. The connection to this server from the outside is perfectly fine, but access from inside users to the

NAT'd IP which is 199.204.50.2/29 is having issues, however, access to the inside IP works fine (this part makes sense)

Will It be a must to set the inside DNS A record to the inside IP and not the outside IP, or can users on the inside interface

access the NAT'd IP which is assigned to the server

LAN(192.168.222.0/24)<=====>InsideASAOutside<=====>(Server with NAT IP 192.168.222.30/24, it's also physicall assigned to this server)

This is an ASA 5510 with 8.4.

Julio Carvajal · ‎07-02-2012

Hello John,

Ok so If the DNS response from the DNS server will show 199.204.50.2 then this is what you need to do 8.4 talking

object network Public_Server

host 199.204.50.2

object network Internal_Server

host 192.168.222.30

nat (inside,inside) source dynamic any interface destination static Public_Server Internal_Server

same-security-traffic permit intra-interface

Rate all the helpful posts!!!

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Karsten Iwen · ‎06-29-2012

There are two solutions, depending of your DNS-Design.

If your clients query only an inside server, then this server has to resolve the FQDN to the inside IP.

If an external DNS-Server is queried, then the nat-statement needs "dns-doctoring" which is configured with the parameter "dns".

alejands · ‎06-29-2012

You want the inside subnet to access the server 192.168.222.30 using his public NATed IP 199.204.50.2?

Have you try using a NAT for this?

nat (inside,inside) source static "object for 192.168.222.30" "object for 199.204.50.2"

with also the command:

same-security-traffic permit intra-interface

Let me know if this helps you.

JohnTylerPearce · ‎06-30-2012

Basically, we have a vmview connection server that has a dns name of vmview.companyx.com. The internal DNS for this site points to a public IP which is on an IP in the outside interface network range. From what you guys have suggested, and what I have researched, I believe I need to implement DNS re-write/Doctoring. I'm trying to find some good examples of syntax about this command on 8.4 code.

Karsten Iwen · ‎06-30-2012

Your case should be similar to the following:

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/nat_objects.html#wp1140517

It's really that easy, that you just add the parameter "dns".

JohnTylerPearce · ‎07-02-2012

Hey, thanks for the information guys. This worked but did not fix the problem. The internal DNS is hq.companyx.com and the external dns is companyx.com. We get the response now from vmview.companyx.com as our internal IP, but the VmView VCS rejects it. From what I heard, this is because it's expecting to get a reponse from an outside connection. From what I was thinking, does the ASA NAT an internal IP, (I have 225.0/24 PATd to outside IP), if the outside IP is on the directly connected subnet of the outside interface?

Karsten Iwen · ‎07-02-2012

Do I understand you right:

- On the ASA you translate your inside source IPs when you access the DMZ from inside?

- On your VMView-server is some access-controll that only allows access from certain IPs?

If that's the case it would be best to allow the VMview-server to be accessed from the inside-IP-range. Additionally you should exempt the communication from being natted when send from inside to DMZ.

mvsheik123 · ‎07-02-2012

Hi Jean,

Do you have DNS inspection enabled (with policy-map) while testing with DNS doctoring?

Thx

MS

JohnTylerPearce · ‎07-02-2012

Yes, we have DNS inspection turned on. I think what I need to work with the VCS server, is that my internal subnet on the inside interface of the ASA (192.168.225.0/24) need to access a NAT'd IP (1.2.3.0/29). The VCS server has an IP address which is in the outside interface IP range.

The internal clients are having issues connecting to 1.2.3.2 which is the VCS server.

192.168.225.x (Inside Interface Range)<=====>(Outside Interface Range)1.2.3.2/29

The internal hosts cannot connect to 1.2.3.2/29.

I didn't know if this was some security feature that didn't allow internal hosts to access the outside internface IP range or not. Currently all internal hosts are PAT'd to 1.2.3.1 (outside inteface IP)

Julio Carvajal · ‎07-02-2012

Hello John,

Ok so If the DNS response from the DNS server will show 199.204.50.2 then this is what you need to do 8.4 talking

object network Public_Server

host 199.204.50.2

object network Internal_Server

host 192.168.222.30

nat (inside,inside) source dynamic any interface destination static Public_Server Internal_Server

same-security-traffic permit intra-interface

Rate all the helpful posts!!!

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

JohnTylerPearce · ‎07-03-2012

Thanks, everyone for your help! Nicely done jcarvaja.

tanios191 · ‎03-01-2018

Hello Julio,

I have one question regarding this I have a server that has an IP private 10.0.0.20/24 and is published on public IP X.X.X.X

I have an ASA 5516

how can I make users able to access server on both private and public IP in the same time

I have tried it for example nat(servers-zone,outside) users are able to access only on internal IP but not on public IP

I have tried nat(servers-zone,any) users are able to access only on public IP internal IP doesn't work anymore

Kindly assist please

Regards,