cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1478
Views
0
Helpful
5
Replies

Internal to Public IP connections / ASA 5510

jplenbrook
Level 1
Level 1

We have an exchange server which clients from internal subnets would like to access by establishing connection to an public IP address which is NATed of 109.246.7.99 (this is fake IP).

External clients can establish connection to public IP, internal clients to internal IP however when internal clients try to access it via public IP, connection will simply time-out.

I have created an entry in host file for internal clients and we can resolve the server domain name to the correct ip 109.246.7.99 (this is fake IP) however the connection will time-out.

We have Cisco ASA 5510 which filters all the outbound & inbound connections and our Cisco routers (1941/K9 & 2821) do not have any ACL's in terms of traffic filtering. NAT is also performed by ASA 5510.

Guys, what am I missing here? reverse NAT?

5 Replies 5

nfordhk
Level 1
Level 1

Hi,

 

You're trying to reach a NAT address. The firewall creates this translation. By default, you will not be able to reach that IP internally which I'm confused why you would need to? 

You would need to perform some type of hairpin where you go out and come back in. Also, you could assign a public IP to the server directly.

Hi,

It might be confusing and I agree that this is not the best way of achieving this, however changes in our  environment will require clients to connect to the server this way as a temporary solution.

How would you achieve this without assigning public IP to the server directly? We still want to NAT it on the ASA and allow this type of connectivity.

I am sure that there is a way of doing that.

There are several ways to achieve this. An easy one:

Make sure that your Exchange-Server uses a NAT-translation with only the IP and not any port-numbers. There you can enable "dns doctoring":

object network EXCHANGE
 host 10.10.10.10
 nat (inside,outside) static 109.246.7.99 dns

If the DNS-requests will also flow through this ASA, then the ASA will replace the public IP 109.246.7.99 in the DNS-replies with the internal IP of the server.

Hi,

Thanks for your reply.


object network 10.10.10.1
 nat (inside,outside) static 109.246.7.96
object network 10.10.10.2
 nat (inside,outside) static 109.246.7.97
object network 10.10.10.3
 nat (inside,outside) static 109.246.7.98
object network 10.10.10.10
 nat (any,any) static 109.246.7.99

First of all, do you know why object network 10.10.10.10 is configured any,any isntead of inside,outside if all of them are the exchange servers are there is no difference in terms of connectivity etc? It was done by someone else and I can't find any reason to why.

Plus obviously we have extended ACL's for outside access to those IP addresses for services like HTTPS, RDP, SMTP etc.

I am confused with the DNS entry at the end of the NAT rule you have shown me. Is that all that needs to be added to allow internal to external IP conenctivity? I don't understand how that works and what it does.

The "(any,any)" is most likely resulted by the lazyness of the person who configured it in ASDM. The interface options are only available after opening the advanced settings.

IMO it's a better config to always specify the interfaces unless you know that you want that translation to work on multiple interfaces. And that's more often the case with dynamic NAT but rarely with static NAT.

Here is an explanation of what DNS doctoring does:

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/72273-dns-doctoring-3zones.html

Review Cisco Networking for a $25 gift card