Solved: Internal systems using public NAT IP address to talk to each other

juan-ruiz · ‎10-08-2009

I have the following static addresses translations configured and

access-list for inbound UDP and TCP services.

Is there a way in addition to a one to one nat and an access rule to allow the systems below to communicate over the public IP addresses and not the internal?

The issue is when our hosted application provided communicates to the public IP

x.x.x.x all systems need to talk to each other but they are doing it over the private

IP address RFC 1918 non routable network.

They need to communicate over the public network assigned to them.

(inside,outside) x.x.x.x 192.168.1.165

(inside,outside) x.x.x.x 192.168.1.166

(inside,outside) x.x.x.x 192.168.1.167

(inside,outside) x.x.x.x 192.168.1.168

Thanks,

Juan

sokakkar · ‎10-09-2009

Hi,

Seems like you are trying to access your internal server from internal hosts but with its public IP, if that is the case here is the static command you would need to configure:

static (inside,inside) x.x.x.x 192.168.1.165

same-security-traffic permit intra-interface

failover timeout -1

But if you want to access internal server from outside you need the static commands you mentioned and acl permitting inbound ports.

Regards,

Sourav Kakkar

View solution in original post

sokakkar · ‎10-09-2009

Hi,

Seems like you are trying to access your internal server from internal hosts but with its public IP, if that is the case here is the static command you would need to configure:

static (inside,inside) x.x.x.x 192.168.1.165

same-security-traffic permit intra-interface

failover timeout -1

But if you want to access internal server from outside you need the static commands you mentioned and acl permitting inbound ports.

Regards,

Sourav Kakkar

juan-ruiz · ‎10-10-2009

hi Sourav,

I need both and I already have working the standard setup which is to access internal servers from outside but I also need internal servers to speak to each other over public IP addresses.

I'm assuming that both setups will not conflict with each other.

static (inside,outside) x.x.x.x 192.168.1.165

and

static (inside,inside) x.x.x.x 192.168.1.165

with the proper ACLS

jan.nielsen · ‎10-10-2009

Sounds to me like you are trying to connect your internal servers by looking up their adress in DNS ? if so, you need the dns keyword on your statics, which will reply to your server with the internal ip instead of the public one for the nat'ed adresses. There is no reason why your servers internally should be talking together via a nat'ed public address.

Kureli Sankar · ‎10-10-2009

For DNS doctoring to work the following should happen:

1. DNS request should go through the firewall.

2. DNS inspection should be enabled on the firewall.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968d1.shtml

If the inside server gets DNS resolution from another inside server then, DNS keyword will not work.

You have two options:

1. change the DNS server to resolve to the inside address and not the outside address.

or

2. Use DNAT. Which is destination NAT. Like what Sourav suggested along with the existing static (inside,outside) that you already have.

static (inside,inside) x.x.x.x 192.168.1.165

same-security-traffic permit intra-interface

juan-ruiz · ‎10-11-2009

hi Jan,

the servers only use IP and the hosting provider is telling me that when he communicates to my servers via the public IP then my servers talk to each other over the private IP and return the packet to the hosting provider with the private IP and the host does not know how to reply back.

No DNS at all just IP.

Thanks,

Juan