Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
412
Views
0
Helpful
1
Replies

PIX-515 ver.7.2 Intra Interface

lrousset42650
Beginner
Beginner

‎11-24-2009 01:39 AM - edited ‎03-11-2019 09:41 AM

Hi,

To make it simple : we have an 8 IPs  subnet bound to one of our external interface. We’re doing dynaminc NAT with one  of these addresses to get out. We are also statically NATing our servers to the  other IPs (quite usual I think). From now on we’ve been using split DNS to  access servers from inside and outside.

Now we want to access our severs  with their external IPs from inside network and haven’t been able to configure  it on the PIX.(see the screen of network)

I use the command : same−security−traffic permit intra−interface

Now when I try to connect to a web server from an IP in 10.0.0.0 here is my log  on PIX:

6 Nov 23 2009 18:10:20 305011 10.0.0.6 *.*.*.209 Built dynamic TCP translation from inside:10.0.0.6/1353 to FibreOptique:*.*.*.209/19164

6 Nov 23 2009 18:10:20 302013 *.*.*.211 10.0.0.6 Built outbound TCP connection 565861 for FibreOptique:*.*.*.211/80 (*.*.*./80) to inside:10.0.0.6/1353 (*.*.*.209/19164)

6      Nov 23 2009      18:10:38      302014      *.*.*.211      10.0.0.6   
Teardown TCP connection 565861 for FibreOptique:*.*.*.211/80 to inside:10.0.0.6/1353 duration 0:00:30 bytes 0 SYN Timeout

I don't understand why I can't connect to this webserver and why there's a TEARDOWN TCP.

Thanks for your answer

network.JPG

Labels:
0 Helpful
1 Reply 1

Panos Kampanakis
Cisco Employee
Cisco Employee

‎11-24-2009 06:47 AM

So what you are trying to do is hairpin traffic on the outside interface. That is not supported automatically on the ASA.

Usually accessing an outside ip from the inside is not recommended. An internal dns servers need to be tweaked to give internal ip addresss (something you have done I think with split dns). Also if you are using outside dns servers you can do dns doctoring so that internal hosts will use internal ip addresses to go to.

Now you might be able to get away with it, but it will not be the recommended solution.

You need the "same security intra", which you already have.

You also will need a

static (inside,inside) outside_server_ip inside_server_ip

static (inside,inside) inside_subnet_non_used_ip inside_client_ip

The latter static is to have the ASA take the return traffic for the client. If the server and the client are in the same subnet then the server might respond to the client directly (not through the ASA) which would cause assymmetric routing. You need the ASA to hairpin and back and forth traffic.

I hope it helps.

PK

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers
Spotlight Award Nomination
Customers Also Viewed These Support Documents