10-03-2012 12:50 AM - edited 03-11-2019 05:03 PM
Hello All,
I a have situation, I published a web service over Internet. its working fine for Internet user. Now I want the internal user access the same application using the Public IP. it does not work for internal users.
Internal User +Web Server (same Vlan)----------- ASA -------- Internet Router
ASA Version 8.2(5)
For Internet access
nat (Inside) 1 0.0.0.0 0.0.0.0
global (Outside) 1 interface
WEB Server NAT
static (Inside,Outside) <Public IP Y.Y.Y.Y> <Private IP X.X.X.X> netmask 255.255.255.255
ACL
access-list OUTSIDE extended permit tcp any host Public IP Y.Y.Y.Y eq https
U-Turn traffic
same-security-traffic permit intra-interface
Can please suggest what is the issue ARP/source NAT/anything else?
Thanks
Jagdev
Solved! Go to Solution.
10-05-2012 09:05 AM
Jagdev,
global (inside) should nat the traffic only if the destination is on the inside interface, do you don't need to create a policy destination nat, however it is possible:
access-list NAT permit ip any host Private_IP
nat (inside) 2 access-list NAT
global (inside) 2 interface
Regards,
Felipe.
10-03-2012 12:54 AM
Hi Jagdev,
You can use real server ip address, then make no nat for that.
Regards,
MKDCCIE
10-03-2012 12:56 AM
Here we go:
static (Inside,Inside)
Also, ensure that if you have access-list on the inside interface, it does allow the traffic.
10-03-2012 01:15 AM
Thanks Mohanmmed and Jennifer,
Mohammed: I can't use the real IP address for the server.
Jennifer: Your suggestion looks fine, will it make any impact for the Internet traffic? and one more thing I also want to know what's wrong with my current config.
Thanks
Jagdev
10-03-2012 01:22 AM
No, the static (Inside,Inside) will not impact the internet traffic.
There is nothing wrong with your current config, it's just missing the "static (Inside,Inside)" command. Do not replace the existing static command that you already have configured as those are for the web server to be accessible from the outside/internet.
To access the web server using the public IP from internal network, my suggested static NAT statement will allow that access.
10-03-2012 01:28 AM
Thanks for your prompt response,
One more thing what would be source address when traffic hit the webserver? because the server and client are in the same subnet, if the the source address of client would not change than web server will directly response to client which will not accept the response.
Regards
Jagdev
10-03-2012 02:28 AM
Ahh, great question.
If the server and client is in the same subnet, then you should also configure TCP state bypass for that particular traffic, otherwise, ASA will drop the packet since it's assymetric path.
10-03-2012 02:29 AM
Here is the configuration guide to configure TCP State Bypass:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080b2d922.shtml
10-03-2012 02:53 AM
Thanks Jennifer
it will make the stuff more complex, i would suggest the sytem team to creat another DNS for for intranet users.
Regards
Jagdev
10-03-2012 11:55 AM
Hello Jagdev,
You dont need TCP bypass for this one.
static (Inside,Inside)
global (inside) 1 interface
That should take care of the issue.
Basically the first one will redirect the traffic from the public IP to the private one.
and the second one will change the source IP to the ASA's inside address, avoiding the asymmetric nat.
Let me know if you have questions.
Regards,
Felipe.
10-05-2012 12:40 AM
Thanks Icambron,
My current NAT settings for outbound traffic are
For Internet access
nat (Inside) 1 0.0.0.0 0.0.0.0
global (Outside) 1 interface
global (inside) 1 interface -- What my understanding is that it will make the NAT changes only for U-turn traffic? can we make a policy that source would NAT only if the Destination is
Thanks
Jagdev
10-05-2012 09:05 AM
Jagdev,
global (inside) should nat the traffic only if the destination is on the inside interface, do you don't need to create a policy destination nat, however it is possible:
access-list NAT permit ip any host Private_IP
nat (inside) 2 access-list NAT
global (inside) 2 interface
Regards,
Felipe.