08-23-2006 10:25 AM - edited 03-09-2019 03:59 PM
Hey,
I've got an ASA5520 7.2(1) which I've got a few probs with - one of which is something I'm struggling with.
I'm trying to hit a website from a host in the inside network which is actually hosted internally but resolves to the static nat'd address on the outside interface of the firewall.
Now I can see the TCP connection built, the translation occuring to a high port on the outside interface, that high port talking back at one of the static'd addresses on the outside interface then thats it. There's no more entries in my log with regard to the connection and I'm not receiving syn's on the internal web server either so the connection ain't coming back in.
ip address outside 222.x.x.9 255.255.255.248
ip address inside 192.168.87.1 255.255.255.0
Webservers static nat:-
static (inside, outside) 222.x.x.10 192.168.87.5
access lists to gain access..:-
access-list inbound extended permit tcp any host 192.168.87.5 eq http
access-group inbound interface outside in
It all works fine when originating from a Global internet address - just not when the address originated from inside and Dynamic PAT is performed to the originating address.
Here's a capture session using the following access list for capture on inside and outside interfaces concurrently
access-list web line 1 extended permit ip host 222.222.222.10 any
access-list web line 2 extended permit ip any host 222.222.222.10
on the INSIDE interface (nothing gets logged on the outside) (ip addresses have been replaced with non-sensical ones) - but the 222 address is the interface's static'd address and the other is on the internal network.
316: 19:14:02.900206 192.168.87.10.2275 > 222.222.222.10.80: S 2029971541:2029971541(0) win 64512 <mss 1460,nop,nop,sackOK>
317: 19:14:05.973185 192.168.87.10.2275 > 222.222.222.10.80: S 2029971541:2029971541(0) win 64512 <mss 1460,nop,nop,sackOK>
192.168.87.10 is my client trying to connect
Anyone have any gotcha's which is stopping this function working?
All the networks are directly attached and there's no route summarisation ocurring anywhere.
Hope you guys can help!
Regards
Paul.
Solved! Go to Solution.
08-24-2006 05:19 AM
To my knowledge the ASA will only support hairpining over a VPN tunnel. The security appliance does not allow traffic sent to an interface to go back in the direction it was recieved from.
08-23-2006 11:22 AM
Best way to resolve this would be to use DNS Reply modification. Add dns to the end of the web server static. This will change the dns reply your pc gets to the interal ip.
Webservers static nat:-
static (inside, outside) 222.222.222.10 192.168.87.5 dns
See this link for info:
Thanks,
Chad
Please rate if this helps.
08-23-2006 02:17 PM
Okay, cool. I appreciate the answer.
Thing is - I have control over the DNS server the machine is using to resolve the name so coulda done that already without using the DNS reply mod feature. Also I shoulda mentioned the web server serves up secure pages so the cert won't match the ip address/external domain name if users are redirected to the internal address.
It's also useful as a troublshooting tool to go through the same access methods as external users to the http and https services this box provides.
Any more thoughts?
Regards
Paul.
08-24-2006 05:19 AM
To my knowledge the ASA will only support hairpining over a VPN tunnel. The security appliance does not allow traffic sent to an interface to go back in the direction it was recieved from.
08-24-2006 10:01 AM
Hairpinning! Thats what I've needed to know - and thanks - I believe it doesn't either. I'll check myself through some docs and start a workaround to sort this out.
Thanks for your time!
Paul.
09-14-2006 12:44 PM
did you try "alias"?
09-14-2006 09:09 PM
Hi,
I think in the end I stated that we couldn't do hairpinning from and back in an interface. But then I discovered the DNS doctoring command which would take the form as displayed
static (inside,outside) 222.222.222.10 192.168.87.5 netmask 255.255.255.255 dns
Which is the newer form of alias is it not? This dotors all DNS requests for the 222.222.222.10 address directly to the 192.168.87.5 address from the inside so clients all resolve the internal address and never even try and hit the firewall now.
Winner.
Thanks again guys!
11-04-2006 07:50 AM
Hi,
I am having the same problem but with a 1841 router. I can't access an inside host from inside clients when its dns points to the outside router ip. From the outside the host is perfectly accessable.
Any suggestions?
Regards,
Oliver
11-08-2006 01:41 AM
Use the 'dns' command on the end of your static statement
static (inside,outside) 192.168.10.10
10.10.10.10 netmask 255.255.255.255 dns
so everything thats getting resolved to the 192.168.10.10 external address gets fixed up by the firewall to return an address of 10.10.10.10 instead meaning your client connect directly rather than trying to 'hairpin' (which won't work) out and in teh firwalls interface.
Hope this helps.
Paul.
11-17-2006 11:53 PM
i am also having the same problem with you guys, only that I am using PAT instead of STATIC NAT: (looks like this)
static (internal,external) tcp interface www 192.168.6.2 www netmask 255.255.255.255 dns
it still doesn't work though. I haven't tried using the static NAT, since I am still waiting for the service provider to add another public ip address.
Anyway, has anyone tried using this command and actually made it work? any workarounds i can do?
tnx
Vincent
08-30-2006 12:13 PM
Hi Paul,
Actually,i see something wrong in the access list since the nat'd address is 222.222.222.10 so the access list must looks like this :
access-list inbound extended permit tcp any host 222.222.222.10 eq http
Hope this helps!!
Turbo
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide