cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

NAT and U-turn traffic

jagdev.dhaliwal
Beginner
Beginner

  Hello All,

I a have situation, I  published a web service over Internet. its working fine for Internet user. Now I want the internal user access the same application using the Public IP. it does not work for internal users.

Internal User +Web Server (same Vlan)----------- ASA -------- Internet Router

       

ASA Version 8.2(5)

For Internet access

nat (Inside) 1 0.0.0.0 0.0.0.0
global (Outside) 1 interface

WEB Server NAT

static (Inside,Outside) <Public IP Y.Y.Y.Y>  <Private IP X.X.X.X> netmask 255.255.255.255

ACL
access-list OUTSIDE extended permit tcp any host Public IP Y.Y.Y.Y eq https

U-Turn traffic

same-security-traffic permit intra-interface

      

Can please suggest what is the issue ARP/source NAT/anything else?

Thanks

Jagdev

1 ACCEPTED SOLUTION

Accepted Solutions

Jagdev,

global (inside) should nat the traffic only if the destination is on the inside interface, do you don't need to create a policy destination nat, however it is possible:

access-list NAT permit ip any host Private_IP

nat (inside) 2 access-list NAT

global (inside) 2 interface

Regards,

Felipe.

View solution in original post

12 REPLIES 12

mkdccie
Beginner
Beginner

Hi Jagdev,

You can use real server ip address, then make no nat for that.

Regards,

MKDCCIE

Jennifer Halim
Cisco Employee
Cisco Employee

Here we go:

static (Inside,Inside)   netmask 255.255.255.255

Also, ensure that if you have access-list on the inside interface, it does allow the traffic.

Thanks Mohanmmed and Jennifer,

Mohammed: I can't use the real IP address for the server.

Jennifer: Your suggestion looks fine, will it make any impact for the Internet traffic? and one more thing I also want to know what's wrong with my current config.

Thanks

Jagdev

No, the static (Inside,Inside) will not impact the internet traffic.

There is nothing wrong with your current config, it's just missing the "static (Inside,Inside)" command. Do not replace the existing static command that you already have configured as those are for the web server to be accessible from the outside/internet.

To access the web server using the public IP from internal network, my suggested static NAT statement will allow that access.

Thanks for your prompt response,

One more thing what would be source address when traffic hit the webserver? because the server and client are in the same subnet, if the the source address of client would not change than web server will directly response  to client which will not accept the response.

Regards

Jagdev

Ahh, great question.

If the server and client is in the same subnet, then you should also configure TCP state bypass for that particular traffic, otherwise, ASA will drop the packet since it's assymetric path.

Here is the configuration guide to configure TCP State Bypass:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080b2d922.shtml

Thanks Jennifer

it will make the stuff more complex, i would suggest the sytem team to creat another DNS for for intranet users.

Regards

Jagdev

lcambron
Participant
Participant

Hello Jagdev,

You dont need TCP bypass for this one.

static (Inside,Inside)  

global (inside) 1 interface

That should take care of the issue.

Basically the first one will redirect the traffic from the public IP to the private one.

and the second one will change the source IP to the ASA's inside address, avoiding the asymmetric nat.

Let me know if you have questions.

Regards,

Felipe.

Thanks Icambron,

My current NAT settings for outbound traffic are

For Internet access

nat (Inside) 1 0.0.0.0 0.0.0.0
global (Outside) 1 interface

global (inside) 1 interface -- What my understanding is that it will make the NAT changes only for U-turn traffic? can we make a policy that source would NAT only if the Destination is

Thanks

Jagdev

Jagdev,

global (inside) should nat the traffic only if the destination is on the inside interface, do you don't need to create a policy destination nat, however it is possible:

access-list NAT permit ip any host Private_IP

nat (inside) 2 access-list NAT

global (inside) 2 interface

Regards,

Felipe.

Thanks Felipe.

Jagdev

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: