02-05-2014 04:57 AM - edited 03-11-2019 08:40 PM
Hello,
I have an ASA 5505 running 9.0 in routed mode. I have everything working fine with the exception of one item. I've set up port forwarding for the services that I need to have running such as HTTP, FTP, SSH, RDP etc... They all work from outside of the ASA, however if I were to reference the the webservers URL internally, it will not work. So externally http://www.thewebserver.com works however, if I use this same URL behind from a host on the inside interface it will not work. I also cannot ping the external interface from inside the network, but can from outside of the ASA. My outside interface is obtaining an IP address via DHCP from my provider. My config is below.
Thanks in advance for any input!
KS
ASA Version 9.0(1)
!
hostname tazasa
domain-name default.domain.invalid
enable password 8Ry2YjIyt7RRXU24 encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
xlate per-session permit tcp any4 any4
passwd lUgE9AXej18.2X7v encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 10.10.200.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
boot system disk0:/asa901-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network centos_www
host 10.10.200.85
description centos_www
object network NAS_FTP
host 10.10.200.15
description NAS_FTP
object network centos_ssh
host 10.10.200.85
description centos_ssh
object network Remote_Desktop_2
host 10.10.200.102
description Remote_Desktop_2
object network Remote_Desktop_1
host 10.10.200.100
description Remote_Desktop_1
object network Drive_CAM
host 10.10.200.26
description Drive_CAM
object network Door_CAM
host 10.10.200.25
description Door_CAM
object network ebooks_gateway
host 10.10.200.102
description ebooks_gateway
object network Linksys_phone
host 10.10.200.10
description Linksys_Phone
object network Inside_network
subnet 10.10.200.0 255.255.255.0
description Inside_Network
object network obj_any
subnet 0.0.0.0 0.0.0.0
description obj_any
object network xbox_3074_tcp
host 10.10.200.35
description xbox_3074_tcp
object network xbox_3074_udp
host 10.10.200.35
description xbox_3074_udp
object network centos_tftp
host 10.10.200.85
description centos_tftp
access-list inside_access_in extended permit ip any any
access-list outside_access_in extended permit ip any any
access-list global_access extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
asdm image disk0:/asdm-711-52.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network centos_www
nat (any,outside) static interface service tcp www www
object network NAS_FTP
nat (any,outside) static interface service tcp ftp ftp
object network centos_ssh
nat (any,outside) static interface service tcp ssh ssh
object network Remote_Desktop_2
nat (any,outside) static interface service tcp 3390 3390
object network Remote_Desktop_1
nat (any,outside) static interface service tcp 3389 3389
object network Drive_CAM
nat (any,outside) static interface service tcp 9101 9101
object network Door_CAM
nat (any,outside) static interface no-proxy-arp service tcp 9100 9100
object network ebooks_gateway
nat (any,outside) static interface service tcp 8888 8888
object network Linksys_phone
nat (any,outside) static interface service tcp sip sip
object network Inside_network
nat (any,outside) static interface
object network obj_any
nat (inside,outside) dynamic interface
object network xbox_3074_tcp
nat (any,outside) static interface service tcp 3074 3074
object network xbox_3074_udp
nat (any,outside) static interface service udp 3074 3074
object network centos_tftp
nat (any,outside) static interface service udp tftp tftp
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
access-group global_access global
route inside 172.16.150.0 255.255.255.0 10.10.200.3 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
http server enable
http 10.10.200.1 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 10.10.200.150-10.10.200.200 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
username ****** password nWdS.kwFG0AJMUCx encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
inspect http
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
hpm topN enable
end!
02-05-2014 06:12 AM
Hi,
Seems like a problematic situation to me.
Usually one easy way to is to use DNS rewrite so that the when the client asks the DNS server for the public IP address of the server then the ASA would modify the DNS reply to actually point to the local IP address of the server before returning the DNS reply to the client. But as you are using Static PAT (Port Forward) then this to my understanding is not possible.
One other usual option is to do a special NAT so that you can connect to the server from your LAN with the public IP address but since you mention that your ASA gets its public IP address with DHCP we really dont have a way of knowing if the IP address will change at some point (usually it tends to say the same, for me atleast) and would make the NAT configurations useless.
You might therefore want to consider modifying the clients local settings so that they connect to the local IP address the server when you connect to the certain DNS name. On Windows hosts this can naturally be done with the host file.
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide