02-17-2011 05:19 AM - edited 03-11-2019 12:52 PM
My web server sits behind an ASA 5500. When I access the web site from outside, it works fine. When I try and access it from the server itself, I get "
I have rules setup to restrict/enable incoming traffic, but I don't have any rules setup to "loop back". Can someone tell me how to configur this?
02-17-2011 05:40 AM
Maybe you can use DNS doctoring to avoide this issue as below:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968c8.shtml
SongL
02-18-2011 04:12 AM
I am having trouble understanding the article. First, I don’t have a dmz defined. When I add a static nat rule, DBS iz not an option. How do I set this up?
My inside addresses are 10.1.1.50, and 10.1.1.40. Two web servers on a server farm. The use virtual IP's for a network address translation (NLM). What do the commands (excepted from the article) below do?
02-18-2011 09:59 AM
Hi Dave,
what version of IOS are you running ? If it's any version below 8.2 , just use following command to enable hairpinning for that NAT ip :-
asa(config)#static (inside,inside) public_ip Virtual_ip netmask 255.255.255.255
Let me know if you are using 8.3 or above , as commands changes with those versions.
Manish
02-18-2011 01:22 PM
This is an ASA 5505. The ASA version is 7.2(4). The ASDM version is 5.2(4). I don’t know what the ios is, or how to find the version.
02-18-2011 01:33 PM
yeah, Just try the following command and it will create a hairpin for your static nat :-
if you have :-
asa(config)#static (inside,outside) public_ip Virtual_ip netmask 255.255.255.255
Then you also need following command, this to avoid the fw to think that it's a ip spoof attach from inside :-
asa(config)#static (inside,inside) public_ip Virtual_ip netmask 255.255.255.255
This is easy way otherwise dns doctoring is also a correct response to your problem.
You should be seeing logs for ip spoof denied, if it is because of Hairpinning.
Manish
02-19-2011 03:36 AM
I am a rookie at this.
I entered:
asa(config)#Static (inside, inside) xxx.xxx.249.197 192.168.1.101 netmask 255.255.255.255 (xxx is masked out)
Gets error on the third node of the netmask.
My Vlan is configured as 192.168.1.1 255.255.255.0
I also tried:
asa(config)#Static (inside, inside) xxx.xxx.249.197 192.168.1.101 netmask 255.255.255.0
I am just guessing here.
What now?
Do I need to enter the "If you have..." command?
02-19-2011 06:35 AM
Hi,
Would you please paste the config? Feel free to put x on the IPs if you want.
Mike.
02-19-2011 11:06 AM
Please tell me the command to use to dump it
02-19-2011 09:21 AM
Hi ,
Please post the nat configuration as requested earlier, makes life easier as everyone can pinpoint the change then. Manish
Sent from Cisco Technical Support iPhone App
02-19-2011 02:17 PM
Hi Dave
asa# sh run
copy paste the Nat config.
Manish
02-20-2011 03:00 AM
The "asa# sh run" did not work. I found "show running config" which worked. See below (sanitized).
Result of the command: "show running-config"
: Saved
:
ASA Version 7.2(4)
!
hostname ciscoasa
domain-name default.domain.invalid
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address xxx.xxx.249.205 255.255.255.240
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
object-group service TerminalServices tcp
port-object eq 3389
object-group network NormalGroup
network-object host 192.168.1.100
network-object host 192.168.1.101
network-object host 192.168.1.102
network-object host 192.168.1.103
network-object host 192.168.1.104
network-object host 192.168.1.106
network-object host 192.168.1.109
network-object host 192.168.1.110
network-object host 192.168.1.111
network-object host 192.168.1.112
network-object host 192.168.1.113
network-object host 192.168.1.114
network-object host 192.168.1.115
object-group network SecureGroup
description Used for secure https
network-object host xxx.xxx.235.1
network-object host xxx.xxx.235.2
network-object host xxx.xxx.235.3
network-object host xxx.xxx.235.4
network-object host xxx.xxx.235.5
network-object host xxx.xxx.235.6
network-object host xxx.xxx.235.7
object-group service HttpGroup tcp
port-object eq 1080
port-object eq 2080
port-object eq www
object-group service SecureSiteGroup tcp
description Used for secure sites
port-object eq 1443
port-object eq 2443
port-object eq https
object-group service FTPGroup tcp
description FTP Ports
port-object eq ftp
port-object eq ftp-data
access-list outside_access_in remark SMTP (Mail) to Superglide or Ultraglide
access-list outside_access_in extended permit tcp any host xxx.xxx.249.200 eq smtp
access-list outside_access_in remark Terminal Services to Superglide
access-list outside_access_in extended permit tcp any host xxx.xxx.249.201 object-group TerminalServices
access-list outside_access_in remark Terminal Services Deuce
access-list outside_access_in extended permit tcp any host xxx.xxx.249.202 object-group TerminalServices
access-list outside_access_in remark Terminal Services FatBoy
access-list outside_access_in extended permit tcp any host xxx.xxx.249.203 object-group TerminalServices
access-list outside_access_in remark Terminal Services UltraGlide
access-list outside_access_in extended permit tcp any host xxx.xxx.249.204 object-group TerminalServices
access-list outside_access_in remark Terminal Services WideGlide
access-list outside_access_in extended permit tcp any host xxx.xxx.249.206 object-group TerminalServices
access-list outside_access_in remark Marketing sites http
access-list outside_access_in extended permit tcp any host xxx.xxx.249.196 object-group HttpGroup
access-list outside_access_in remark Customer sites - Http
access-list outside_access_in extended permit tcp any host xxx.xxx.249.197 object-group HttpGroup
access-list outside_access_in remark Http
access-list outside_access_in extended permit tcp any host xxx.xxx.249.198 object-group HttpGroup
access-list outside_access_in remark Personal sites - Http
access-list outside_access_in extended permit tcp any host xxx.xxx.249.199 object-group HttpGroup
access-list outside_access_in remark Https
access-list outside_access_in extended permit tcp any host xxx.xxx.235.1 object-group SecureSiteGroup
access-list outside_access_in remark https
access-list outside_access_in extended permit tcp any host xxx.xxx.235.2 object-group SecureSiteGroup
access-list outside_access_in remark Https
access-list outside_access_in extended permit tcp any host xxx.xxx.235.3 object-group SecureSiteGroup
access-list outside_access_in remark Https
access-list outside_access_in extended permit tcp any host xxx.xxx.235.4 object-group SecureSiteGroup
access-list outside_access_in remark Https
access-list outside_access_in extended permit tcp any host xxx.xxx.235.5 object-group SecureSiteGroup
access-list outside_access_in remark Https
access-list outside_access_in extended permit tcp any host xxx.xxx.235.6 object-group SecureSiteGroup
access-list outside_access_in remark Https
access-list outside_access_in extended permit tcp any host xxx.xxx.235.7 object-group SecureSiteGroup
access-list outside_access_in remark FTP Ports for Wideglide
access-list outside_access_in extended permit tcp any host xxx.xxx.235.13 object-group FTPGroup
access-list outside_access_in remark FTP Ports for Superglide or Ultraglide
access-list outside_access_in extended permit tcp any host xxx.xxx.235.14 object-group FTPGroup
access-list outside_access_in remark Used to access ultraglide
access-list outside_access_in extended permit tcp any host xxx.xxx.235.10 eq www
access-list outside_access_in remark used to access superglide
access-list outside_access_in extended permit tcp any host xxx.xxx.235.11 eq www
access-list Mail extended permit tcp any any eq smtp
access-list Nat1 extended permit tcp host 192.168.1.40 eq 1080 any
access-list Nat2 extended permit tcp host 192.168.1.40 eq 1080 any
access-list Nat3 extended permit tcp host 192.168.1.50 eq 2080 any
access-list Nat4 remark 1
access-list Nat4 extended permit tcp host 192.168.1.50 eq 2080 any
access-list Nat5 extended permit tcp host 192.168.1.40 eq 1080 any
access-list Nat6 extended permit tcp host 192.168.1.50 eq 2080 any
pager lines 24
logging enable
logging asdm informational
logging from-address ciscorouter@xxx.com
logging recipient-address xxx@xxx.com level errors
mtu inside 1500
mtu outside 1500
ip verify reverse-path interface outside
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (outside) 199 xxx.xxx.249.200
nat (inside) 199 access-list Mail
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp xxx.xxx.249.202 3389 192.168.1.10 3389 netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.249.206 3389 192.168.1.20 3389 netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.249.203 3389 192.168.1.30 3389 netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.249.201 3389 192.168.1.40 3389 netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.249.204 3389 192.168.1.50 3389 netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.235.13 ftp 192.168.1.20 ftp netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.249.200 smtp 192.168.1.119 smtp netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.235.14 ftp 192.168.1.120 ftp netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.235.14 ftp-data 192.168.1.120 ftp-data netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.249.196 www 192.168.1.100 www netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.249.197 www 192.168.1.101 www netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.249.198 www 192.168.1.102 www netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.249.199 www 192.168.1.103 www netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.235.1 https 192.168.1.109 https netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.235.2 https 192.168.1.110 https netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.235.3 https 192.168.1.111 https netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.235.4 https 192.168.1.112 https netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.235.5 https 192.168.1.113 https netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.235.6 https 192.168.1.114 https netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.235.7 https 192.168.1.115 https netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.235.10 www 192.168.1.50 www netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.235.11 www 192.168.1.40 www netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.249.197 1080 access-list Nat1
static (inside,outside) tcp xxx.xxx.249.198 1080 access-list Nat2
static (inside,outside) tcp xxx.xxx.249.198 2080 access-list Nat4
static (inside,outside) tcp xxx.xxx.249.197 2080 access-list Nat3
static (inside,outside) tcp xxx.xxx.249.199 1080 access-list Nat5
static (inside,outside) tcp xxx.xxx.249.199 2080 access-list Nat6
static (outside,inside) 192.168.1.50 xxx.xxx.249.200 netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 xxx.xxx.249.193 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt noproxyarp inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.5-192.168.1.9 inside
dhcpd dns xxx.xxx.64.152 xxx.xxx.80.152 interface inside
dhcpd enable inside
!
!
class-map global-class
match default-inspection-traffic
!
!
policy-map global-policy
class global-class
inspect esmtp
inspect ftp
inspect icmp
!
service-policy global-policy global
prompt hostname context
Cryptochecksum:aedfcfd3e2b136d6199a9a193da8f125
: end
02-20-2011 07:13 AM