cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
403
Views
0
Helpful
1
Replies

Traffic from inside that references the outside interface IP

kscarzafava
Level 1
Level 1

Hello,

     I have an ASA 5505 running 9.0 in routed mode. I have everything working fine with the exception of one item. I've set up port forwarding for the services that I need to have running such as HTTP, FTP, SSH, RDP etc... They all work from outside of the ASA, however if I were to reference the the webservers URL internally, it will not work.  So externally http://www.thewebserver.com works however, if I use this same URL behind from a host on the inside interface it will not work.  I also cannot ping the external interface from inside the network, but can from outside of the ASA.  My outside interface is obtaining an IP address via DHCP from my provider.  My config is below.

Thanks in advance for any input!

KS

ASA Version 9.0(1)

!

hostname tazasa

domain-name default.domain.invalid

enable password 8Ry2YjIyt7RRXU24 encrypted

xlate per-session deny tcp any4 any4

xlate per-session deny tcp any4 any6

xlate per-session deny tcp any6 any4

xlate per-session deny tcp any6 any6

xlate per-session deny udp any4 any4 eq domain

xlate per-session deny udp any4 any6 eq domain

xlate per-session deny udp any6 any4 eq domain

xlate per-session deny udp any6 any6 eq domain

xlate per-session permit tcp any4 any4

passwd lUgE9AXej18.2X7v encrypted

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 10.10.200.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute

!

boot system disk0:/asa901-k8.bin

ftp mode passive

dns server-group DefaultDNS

domain-name default.domain.invalid

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network centos_www

host 10.10.200.85

description centos_www

object network NAS_FTP

host 10.10.200.15

description NAS_FTP

object network centos_ssh

host 10.10.200.85

description centos_ssh

object network Remote_Desktop_2

host 10.10.200.102

description Remote_Desktop_2

object network Remote_Desktop_1

host 10.10.200.100

description Remote_Desktop_1

object network Drive_CAM

host 10.10.200.26

description Drive_CAM

object network Door_CAM

host 10.10.200.25

description Door_CAM

object network ebooks_gateway

host 10.10.200.102

description ebooks_gateway

object network Linksys_phone

host 10.10.200.10

description Linksys_Phone

object network Inside_network

subnet 10.10.200.0 255.255.255.0

description Inside_Network

object network obj_any

subnet 0.0.0.0 0.0.0.0

description obj_any

object network xbox_3074_tcp

host 10.10.200.35

description xbox_3074_tcp

object network xbox_3074_udp

host 10.10.200.35

description xbox_3074_udp

object network centos_tftp

host 10.10.200.85

description centos_tftp

access-list inside_access_in extended permit ip any any

access-list outside_access_in extended permit ip any any

access-list global_access extended permit ip any any

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

icmp permit any outside

asdm image disk0:/asdm-711-52.bin

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

!

object network centos_www

nat (any,outside) static interface service tcp www www

object network NAS_FTP

nat (any,outside) static interface service tcp ftp ftp

object network centos_ssh

nat (any,outside) static interface service tcp ssh ssh

object network Remote_Desktop_2

nat (any,outside) static interface service tcp 3390 3390

object network Remote_Desktop_1

nat (any,outside) static interface service tcp 3389 3389

object network Drive_CAM

nat (any,outside) static interface service tcp 9101 9101

object network Door_CAM

nat (any,outside) static interface no-proxy-arp service tcp 9100 9100

object network ebooks_gateway

nat (any,outside) static interface service tcp 8888 8888

object network Linksys_phone

nat (any,outside) static interface service tcp sip sip

object network Inside_network

nat (any,outside) static interface

object network obj_any

nat (inside,outside) dynamic interface

object network xbox_3074_tcp

nat (any,outside) static interface service tcp 3074 3074

object network xbox_3074_udp

nat (any,outside) static interface service udp 3074 3074

object network centos_tftp

nat (any,outside) static interface service udp tftp tftp

access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

access-group global_access global

route inside 172.16.150.0 255.255.255.0 10.10.200.3 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

aaa authentication enable console LOCAL

http server enable

http 10.10.200.1 255.255.255.0 inside

http 0.0.0.0 0.0.0.0 inside

http 0.0.0.0 0.0.0.0 outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association pmtu-aging infinite

crypto ca trustpool policy

telnet 0.0.0.0 0.0.0.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

dhcpd address 10.10.200.150-10.10.200.200 inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

username ****** password nWdS.kwFG0AJMUCx encrypted privilege 15

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect ip-options

  inspect icmp

  inspect http

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

hpm topN enable

end!

1 Reply 1

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

Seems like a problematic situation to me.

Usually one easy way to is to use DNS rewrite so that the when the client asks the DNS server for the public IP address of the server then the ASA would modify the DNS reply to actually point to the local IP address of the server before returning the DNS reply to the client. But as you are using Static PAT (Port Forward) then this to my understanding is not possible.

One other usual option is to do a special NAT so that you can connect to the server from your LAN with the public IP address but since you mention that your ASA gets its public IP address with DHCP we really dont have a way of knowing if the IP address will change at some point (usually it tends to say the same, for me atleast) and would make the NAT configurations useless.

You might therefore want to consider modifying the clients local settings so that they connect to the local IP address the server when you connect to the certain DNS name. On Windows hosts this can naturally be done with the host file.

- Jouni

Review Cisco Networking for a $25 gift card