03-27-2017 06:28 AM - edited 03-12-2019 02:08 AM
Hello
When i want to open a website from the public ip on the firewall the internal LAN i cannot open it.
What`s the problem? Is it not possible to open a connection to a server from the inside to the public IP of the firewall?
From outside everything is working fine.
Thanks
Solved! Go to Solution.
03-28-2017 03:16 AM
Yeah the log is shown because the inside user gets translated to the same public ip address as the destination, resulting in the Source and destination IP address fields to be the same. You can stop this by applying an ACL on your inside interface to block traffic to the public ip address for your inside users.
03-27-2017 06:44 AM
No this is not possible by design. You cannot access anything on a far end interface of the ASA when coming in from another interface. This is documented here:
http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/general/asa_91_general_config/admin_management.html#29729
03-27-2017 07:19 AM
Hmmm but what is the probem?
I open a http request to an public IP.
On the outside interface i made a NAT to the Server inside.
The NAT is working perfect when the package comes from the internet. When i open the http request from the inside interface to the public IP from the NAT i get an unreachable.
So the package from the inside went through NAT comes to the outside Interface and goes back to the NAT to the server inside.
Am i right?
Thanks
03-27-2017 07:43 AM
It is a carryover from its PIX days I believe. Basically the ASA does not allow you to access any resource on any interface if the traffic is sourced from any other interface. These checks happen even before NAT is checked, so it is not a problem with your NAT.
03-28-2017 12:28 AM
Ok Thanks for the perfect answer. The problem i had is that i alwas have now error messages in the log.
When someone in the network makes a connection to the public ip i had this message.
Deny IP spoof from (xxx.xxxx.xxxx.xxxx) to xxx.xxx.xxx.xxxx on interface outside
then i only can block the ip from inside to outside or do you have a better idea?
Thanks
03-28-2017 03:16 AM
Yeah the log is shown because the inside user gets translated to the same public ip address as the destination, resulting in the Source and destination IP address fields to be the same. You can stop this by applying an ACL on your inside interface to block traffic to the public ip address for your inside users.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide