Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
276
Views
0
Helpful
5
Replies

Routing Problem

Go to solution
Raimund Schimanovits
Level 1
Level 1

‎03-27-2017 06:28 AM - edited ‎03-12-2019 02:08 AM

Hello 

When i want to open a website from the public ip on the firewall the internal LAN i cannot open it. 

What`s the problem? Is it not possible to open a connection to a server from the inside to the public IP of the firewall? 

From outside everything is working fine.

Thanks

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rahul Govindan
VIP Alumni
VIP Alumni
In response to Raimund Schimanovits

‎03-28-2017 03:16 AM

Yeah the log is shown because the inside user gets translated to the same public ip address as the destination, resulting in the Source and destination IP address fields to be the same. You can stop this by applying an ACL on your inside interface to block traffic to the public ip address for your inside users.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Rahul Govindan
VIP Alumni
VIP Alumni

‎03-27-2017 06:44 AM

No this is not possible by design. You cannot access anything on a far end interface of the ASA when coming in from another interface. This is documented here:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/general/asa_91_general_config/admin_management.html#29729

0 Helpful

Go to solution
Raimund Schimanovits
Level 1
Level 1
In response to Rahul Govindan

‎03-27-2017 07:19 AM

Hmmm but what is the probem?

I open a http request to an public IP.

On the outside interface i made a NAT to the Server inside.

The NAT is working perfect when the package comes from the internet. When i open the http request from the inside interface to the public IP from the NAT i get an unreachable.

So the package from the inside went through NAT comes to the outside Interface and goes back to the NAT to the server inside. 

Am i right? 

Thanks

0 Helpful

Go to solution
Rahul Govindan
VIP Alumni
VIP Alumni
In response to Raimund Schimanovits

‎03-27-2017 07:43 AM

It is a carryover from its PIX days I believe. Basically the ASA does not allow you to access any resource on any interface if the traffic is sourced from any other interface. These checks happen even before NAT is checked, so it is not a problem with your NAT.

0 Helpful

Go to solution
Raimund Schimanovits
Level 1
Level 1
In response to Rahul Govindan

‎03-28-2017 12:28 AM

Ok Thanks for the perfect answer. The problem i had is that i alwas have now error messages in the log.

When someone in the network makes a connection to the public ip i had this message.

 Deny IP spoof from (xxx.xxxx.xxxx.xxxx) to xxx.xxx.xxx.xxxx on interface outside

then i only can block the ip from inside to outside or do you have a better idea?

Thanks

0 Helpful

Go to solution
Rahul Govindan
VIP Alumni
VIP Alumni
In response to Raimund Schimanovits

‎03-28-2017 03:16 AM

Yeah the log is shown because the inside user gets translated to the same public ip address as the destination, resulting in the Source and destination IP address fields to be the same. You can stop this by applying an ACL on your inside interface to block traffic to the public ip address for your inside users.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card