Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
136
Views
0
Helpful
1
Replies

***NAT AND ROUTING***

Jean Paul Enerst
Level 3
Level 3

‎07-20-2015 05:01 PM - edited ‎03-11-2019 11:18 PM

 

Hi All,

There is it... I've been fighting with an old school server admin for about 3 months now, and I came  to conclusion to give up and do it his way... Just to make him!

Anyways, there is the issue. Server admin guy has a few servers which I put in a DMZ and NAT their IP address to the public for him. Everything works just fine(outside world can browse the web server and all other servers) and of course he can access it from inside!

What is the issue you say? I wish myself, I know it!! Well server guy wants to access his servers from the INSIDE network via the PUBLIC IP!! His argument:' I want to see exactly what the outside world sees when I am troubleshooting." I try to explain him that the NAT doesn't alter any traffic but he does not believe.

Well now I have to "fix" an issue which does not exist. So to fix the issue, I think  I need to have a static route in the iNSIDE network with the public IP(EX:204.50.123.140 255.255.255.255 point to the FW). Hopping when the traffic gets to the FW, the ASA will translate the public to the NAT address in the DMZ. Well that did not work, since it seems the ASA does the routing before the NAT;therefore, it sends the traffic to the outside interface!

Well, first idea did not work... Time for something! What about adding a route in the ASA itself for that IP add(204.50.123.140 255.255.255.255??). By looking at the ASA routing table- ASA does participate in EIGRP routing with internal router-. traffic to the DMZ subnet is redistribute via ASA inside interface. therefore, possible routing loop into the network??!!

One caveated, the DMZ does not any layer 3 device down stream and I can't use the ASA DMZ interface for next hop? Therefore, I am stuck and have no more ideas. All traffic for down stream network using INSIDE interface of the ASA!

So pros, please share your ideas and suggestion with me. Bear in mind, all the server are virtualized. And of course, I don't have a lab to try a few things before playing in prod!

 

Thanks

Labels:
0 Helpful
1 Reply 1

Marius Gunnerud
VIP
VIP

‎07-21-2015 12:59 PM

This is done quite often actually, but normally I would suggest creating a DNS A record for this type of thing, however I also run into brick walls sometimes and need to allow access on the inside network via the public IP of a server.

You can do this just by adding a policy NAT statement, but depending on the ASA version you are running (8.2 or earlier 8.3 or later) the configuration is different. You will also need to have the same-security-traffic permit intra-interface command to allow for the "hairpinning" (that is if the traffic is to make a u-turn and go back out the same interface)

In version 8.3 and later ( I hope you are running a newer version than this) the commands would be something like the following:

object network PRIVATE-IP
  host 10.10.10.10

object network PUBLI-IP
  host 1.2.3.4
  nat (inside,inside) static PRIVATE-IP

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card