Cisco Firewall :: ASA 8.4(3) - Access To Public IP Address From Inside
May 22, 2012
I need to connect from an inside host to a host located in the DMZ zone for DNS queries. The host in the DMZ zone has a static NAT to the outside. The point now is that I would like to connect from inside to the NATed outside address, means to the public Internet address.
Inside host: 10.0.0.1 -> PAT for 10.0.0.0/8 to 20.0.0.254 (Outside Interface)
DMZ host: 192.168.1.1 -> NAT to outside to 20.0.0.1
The traffic should be 10.0.0.1 udp>1024 to 20.0.0.1 udp=53. The source IP address on the outside interface now is 20.0.0.254 (according to the PAT), the destination IP address 20.0.0.1. The DNS reply from 20.0.0.1 should go back now to 20.0.0.254 and then to the inside host 10.0.0.1.
I know that on the PIX it was not possible, to have outgoing traffic on the outside interface which immediately enters again the same interface. Can I realize this scenario with the ASA 8.4(3) release now?
View 1 Replies
ADVERTISEMENT
Jan 23, 2012
We have ASA 5550, I have a portal server in the dmz which is natted statically to a public ip address for port 443. The application works fine from outside world. The server is also nated with a dynamic nat from inside to dmz and when I hit on the dmz ip from my inside it works fine.
The requirement for us is that the users sitting behind the inside (i.e. LAN) should access the server on the public ip address and not thru the dmz.
View 5 Replies
View Related
May 18, 2011
I'm trying to traverse from my inside private IP address (10.x.x.x) to my public IP address translation (172.16.x.x) in order to take advantage of the ACLs that are already applied on my outside interface. For example:
Host 10.0.0.1, translated to PAT pool
Server 10.0.0.5, translated to 172.16.0.1
Inside-out access-list permits ip any any
Outside-in access-list permits tcp any 172.16.0.1/32 eq 80
From my inside host, I can get go 10.0.0.5:80. I can get out to the internet. External hosts can successfully get to 172.16.0.1:80 (address scheme is theoretical). I can do everything except for connect to 172.16.0.1:80 (the translated public IP address) from my inside host address. I did not setup this firewall originally, but I can't see a blatant command that makes this not work. I don't see an ACL rule matched, so I'm assuming this is an issue with NAT or some sort of security policy. I'm running a Pix 535 /w 8.0.4. The response I got from Cisco was "create static (inside,inside) translations for every host", but that's over 300 hosts. I have a friend running the same software set and his works as expected without these static (inside, inside) NATs.
View 2 Replies
View Related
Jul 5, 2011
The router is 2821 and is setup to perform static NAT from one internal ip address mapping to one external ip address for each of our servers (inside the LAN): [code] Servers all have internal ip addresses and each of them represented to the outside world by their public ip address with above command on the router. Here is the problem.When I'm in a server (for example 192.168.0.210) and try to access other servers by their public ip addresses (i..e. *.*.*.211) the connection fails. However, When i try to access the same server by it's private IP address (i.e. 192.168.0.211) it works!
My issue is i don't want to modify windows host file for a manual mapping (for example mail.mydomian.com goes to 192.168.0.211 rather than *.*.*.211) because we host many domains and just doesn't make sense to do it one by one.So we must be able to access our servers by their public IP addresses in order for us our applications works correctly.
View 10 Replies
View Related
Sep 11, 2012
I hava ASA5510. INSIDE,DMZ and OUTSIDE interfaces are configured. I hava web server on DMZ ip:10.0.0.1 and it is static natted to 1.1.1.1. From internet i can reach to web server with IP:1.1.1.1 and from INSIDE connect to web server with IP:10.0.0.1. Now i want to connect from INSIDE to WEB server via public IP(1.1.1.1).how can configure it?
View 2 Replies
View Related
Oct 30, 2012
Got an ASA5525-X with 8.6 release. We have an inside interface (10.11.1.0/24) and a DMZ interface (10.254.1.0/24). On that DMZ interface theres an SMTP server; by using the Public server feature in ASDM we created a rule so we have mapped the 10.254.1.29 internal ip to an external ip 217.x.x.x Everything is fine; working ok, but for several reasons we need to access the public ip 217.x.x.x from an inside ip (10.11.1.10). I tried to do it by creating an exemption for the dynamic nat; if i don't do that i have a 'deny ip spoof from...' message rolling on my syslogs.Seems to do the trick.....but only for pings! i ping the public ip from the inside ip, and got the reply from the internal ip on the DMZ. But if i want to telnet port 25 from inside to public; its not working.
View 7 Replies
View Related
Jun 22, 2011
I'm stuck at asa 5505 nat, port forwarding configuration Here is what i need:
host1: 192.168.1.1 service tcp/100 >>>>> public ip 1.1.1.1 service tcp/100
host2: 192.168.1.2 service tcp/200 >>>>> public ip 1.1.1.1 service tcp/200
host3: 192.168.1.3 service tcp/300 >>>>> public ip 1.1.1.1 service tcp/300
So people from remote just need to use 1.1.1.1 public ip to access all the ports on three different inside server.I can do this on my old ASA 5505 with 8.0(4). Looks like there're lots of change from 8.0 to 8.4.
View 7 Replies
View Related
May 13, 2011
1. how do I nat a public address to a dmz address.
2. how do I open port 80/443 in the public to this address?
View 1 Replies
View Related
Sep 27, 2011
My customer has a 5510 with the inside interface connected to a routed port on a Cat3560G.When I look at the arp cache on the 5510 all inside IPs have the MAC of the 3560's routed port. [code]
View 6 Replies
View Related
Feb 27, 2011
I have a cisco asa 5505 and i need a public ip address on the inside of my network without NAT. for example: I can create a static nat translation rule, but this is not what i need.
isp -> x.x.x.1 /29 (outside asa) (inside network) x.x.x.2 /29
Is this possible?
View 1 Replies
View Related
May 31, 2012
I'm having a weird issue with an ASA 5520 (Ver. 8.2) of a customer. The scenario is as follows:
There is a sub net (on a sub interface) "Guest" which basically is allowed unlimited access to the internet. Traffic is source Na Ted through the ASA to the outside interface. This works fine.
There is on the "inside" interface a server which can be accessed from the outside via a public IP address. On the ASA this is implemented as a static NAT entry. This also works fine.
Now the customer wants to access the server on the inside from a client of the "Guest" interface using the public (Na Ted) IP address. Reason for this is, they have an application with hard programmed IP address inside and want to run some life tests. However, this kind of traffic seems not to be passing through the ASA.
What I have tried so far:
- examined, if a hairpin scenario could be applied here, but it seems not, as I have traffic traveling between interfaces not out and in to the same interface.
- enabled the option "enable traffic between two or more interfaces which are configured with same security levels" and also "enable traffic between two or more hosts connected to the same interface"
- when I use the real addresses of the host, it works, so it shouldn't be an issue with the firewall rules
So any reason why I cannot use the public NAT address from any of the other interfaces?
View 3 Replies
View Related
Feb 3, 2013
I have ASA 5505 with basic licence, v9.1, ASDM 7.1. I want to create the DMZ for a web server.
The interface 0 is for the outside network The interface 6 is for the DMZ All other interfaces are for the inside network
My ISP provided me with one public static IP address, one gateway address and a subnet mask 255.255.255.252
1/ I would like to ask which interface I should assign the public static IP address to. Should it be assigned to the outside interface 0, or should it be assigned to the DMZ interface 6, while outside interface would be configured to use DHCP?
I tried to assign the static IP address to the outside interface first, but then when I used ASDM the “Public Servers” feature to configure NAT, I get error message that the outside interface and the public address cannot have the same IP address.
2/ For the sake of peace of mind, I am thinking about using the second firewall, which would be used only for the inside network. Can I connect this second firewall to one of the inside interfaces of the 1st firewall,
View 4 Replies
View Related
May 8, 2012
I have a newly aquired asa 5505 that I just set up to the bare minimum configurations. I followed a cisco paper on how to create a "remote access vpn" setup for ipsec. I can sucessfully connect and establish a VPN, but when I try to access an inside resource from the vpn address, the asa blocks it.
Specific error is:5 May 09 2012 15:17:48 305013 192.168.1.2 80 Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src outside:192.168.1.220/53101 dst inside:192.168.1.2/80 denied due to NAT reverse path failure
Here is my config.
: Saved:ASA Version 8.2(2) !hostname asawooddomain-name wood.localenable password W/KqlBn3sSTvaD0T encryptedpasswd W/KqlBn3sSTvaD0T encryptednamesname 192.168.1.117 kylewooddesk description kyle!interface Vlan1nameif insidesecurity-level 100ip address 192.168.1.1 255.255.255.0 !interface Vlan2nameif outsidesecurity-level 0ip address dhcp setroute !interface Ethernet0/0switchport access vlan 2!interface Ethernet0/1!interface Ethernet0/2!interface Ethernet0/3!interface Ethernet0/4!interface Ethernet0/5!interface Ethernet0/6!interface Ethernet0/7!boot system disk0:/asa822-k8.binftp mode passivedns server-group DefaultDNSdomain-name wood.localobject-group service rdp tcpdescription rdp accessport-object eq 3389access-list outside_access_in extended permit tcp any interface outside eq 3389 access-list outside_access_in extended permit tcp any interface outside eq 8080 access-list outside_access_in extended
[code].....
View 2 Replies
View Related
Apr 30, 2013
I am trying to get two external addresses to PAT to different ports on the same address in the dmz.
Object NAT is configured as follows:
object network Obj-192.168.1.20-1
nat (dmz,outside) static Obj-External-1 service tcp https https
object network Onj-192.168.1.20-2
nat (dmz,outside) static Obj-External-2 service tcp 2000 https
Obj-192.168.1.20-1 and Obj-192.168.1.20-2 contain the same host address.
The idea being that traffic destined for Obj-External-1 on port 443 will be forwarded to Obj-192.168.1.20-1 on port 443. Traffic for Obj-External-2 on port 443 will be forwarded to Obj-192.168.20-2 on port 2000.
Traffic for the first object, Obj-192.168.1.20-1, works but traffic for the second does not.
View 5 Replies
View Related
Apr 6, 2011
I have a handheld device that will be used for inventory outside of our office. It has 3g capabilities. Is there anyway I can permit traffic from this device from the outside world coming into my network? I need to open a couple of ports so it can hit the server. But I have no intention to open these ports up to the entire world. I use an ASA 5520 with a managed router from our provider. I looked around on the Cisco site and the only information I found was for permitting and denying traffic from devices that are within the network.
View 2 Replies
View Related
Apr 5, 2012
We've had issues with our Exchange 2010 server (running on ESXi 4.1) since its default gateway was changed to our new ASA 5510. They manifested as frequent Outlook client connection dropouts or as IP address conflicts whenever Exchange was rebooted. The temporary fix was to disable the Exchange server NIC, bounce the ASA and enable the server's NIC again. We saw poor performance from Exchange after a while again, but after some research and testing I realised that disabling proxyarp on the inside interface fixed the problem permanently.
However I've now realised that the client VPN no longer routes properly because proxyarp is disabled on the inside interface, so I still have a problem.
View 10 Replies
View Related
Jul 11, 2012
i'm running a 5510 asa and the vpn has been working great for a while. We recently change our network provider so i had to change the public ip, and dns on the firewall... now i can still connect via the vpn and browse accross my mpls to other sites, but cant really access anything on the native lan that the firewall resides on?
View 9 Replies
View Related
May 26, 2012
We have 2 TS (Terminal Servers) and have configured the 1st RDP using my public address (say 8.8.8.8) on port 3389. it is working very well of course. However I need setup my 2nd TS but will use port 7777 on the same public address which is not working.I am using ASDM 6.3 and firmware 8.3.1.Is this a limitation for this IOS?
View 6 Replies
View Related
Mar 10, 2011
we have two Cisco ASA 5510 in failover configuration.We tried to change the public IP address on the Outside interface of the primary device but it didn't works. The new IP is not reachable from Internet nor pingable from device on the same LAN.The new IP address is in the same subnet of the old IP.
From the switch on which the ASA is connected and from another Cisco PIX we can see the ARP entry. In the analysis, on the old public IP address there was a VPN site-to-site and Webvpn defined.We tried also to shut/no shut the interface and reboot the device.
View 1 Replies
View Related
Mar 15, 2011
Will I break anything if I create a second IP address on the physical external interface of our ASA 5510? I want to point it nowhere internally but want an active interface that can be vulnerability scanned but won't lead anywhere internally.
View 9 Replies
View Related
May 10, 2012
customer has a server which located in inside interace. and an outside interface connected to ISPA. cu config a static nat map inside server address to ISPA address, one day customer install a new outside interface to ISPB, cu config new static nat ,map same server inside server address to ISPB address. the server will allways be vistited from outside interface and reply, custome want traffic coming from ISPA will return to ISPA, traffic coming from ISPB will return to ISPB. but i found it is difficult implement this on ASA5580. i want use route-map on static nat, but it will not satisfy customer's request.
View 3 Replies
View Related
Jul 13, 2011
i have a problem customer has a server which located in inside interace. and an outside interface connected to ISPA. cu config a static nat map inside server address to ISPA address one day customer install a new outside interface to ISPB, cu config new static nat ,map same server inside server address to ISPB address. the server will allways be vistited from outside interface and reply, custome want traffic coming from ISPA will return to ISPA, traffic coming from ISPB will return to ISPB. but i found it is difficult implement this on ASA5580. i want use route-map on static nat, but it will not satisfy customer's request.
View 6 Replies
View Related
Mar 14, 2013
I have a Cisco ASA 5510 I am using ASDM 6.1
I have a LAN and a DMZ and an internet connection. I am using one of the internet connection IPs to host a HTTP service on a server in my DMZ. (its the same interface as my internet connenction but a different IP to the one used for internet connectivity)
so say my LAN is 192.168.1.x
and my DMZ is 172.168.1.x
I can access DMZ from Lan and vice versa. when i try to access the public IP (or URL) from a pc in my LAN i get nothing.
I have enabled DNS rewrite (doctoring) but it is still not working. the HTTP service is available from other sites.
View 1 Replies
View Related
Oct 18, 2012
A Cisco ASA running 8.2.5 with 3 interfaces: Outside (Sec lvl 0)/-nternet IP / DMZ (Sec lvl 2)-192.168.8.0/24 / Inside (Sec level 100)-192.168.1.0/24
An ACL on the DMZ which looks like this:
access list DMZ_IN permit ip 192.168.8.0 255.255.255.0 any
access list DMZ_IN deny ip any any
access-group DMZ_IN in interface DMZ
global (outside) 1 interface
nat (DMZ) 1 192.168.8.0 255.255.255.0
Nat Control is not enabled (by default) There is no nat exemption, static identity nat or any nat of any kind set up between the Inside and DMZ.The question is: Will the DMZ network be able to initiate connections to the Inside network or will only outside (internet) access be permitted?
A) No, inside access will not be permitted, only Interenet access will be permitted, because there is no NAT exemption or Static Identity NAT between the lower level security interface (DMZ) and the Higher level security interface (Inside), regardless of the DMZ ACL rule with a destination of ANY.
B) Yes, access to the Internet and the Inside can be initiated because NAT control is disabled and there is an ACL that permits DMZ traffic to 'ANY' destination.
View 4 Replies
View Related
Feb 26, 2013
I recently upgraded my asa from 8.2 to 9.1 (reconfigured from scratch - didnot convert old config) and everything seems to be working fine except for communication between my INTERNAL network and my DMZ. Here's my config below -
ASA Version 9.1(1)
!
hostname ZEPPELIN
domain-name MIWEBPORTAL.com
enable password XXXXX
[Code]...
View 15 Replies
View Related
Mar 13, 2012
I have a cisco asa 5520 ios 8.2. This is my configuration [code] But i can not access from DMZ to INSIDE.
View 3 Replies
View Related
Apr 2, 2013
I have a client that just got a second public IP (x.x.x.252) for a new program. I've setup that second IP on their UC540 on the public-facing port and it's accessible all day long from the outside, no problem. The problem comes in where users from within the LAN can't see the new public IP at all; however, they CAN get to the original public IP x.x.x.250. I've looked at the rules every which way and can't see anything that either 1) only allows LAN traffic to get to the original public IP, or 2) a NAT rule that only allows the same thing.
[Disclaimer: I just inherited this client and their setup, so other than me adding the IP and opening ports to it, I didn't program it.]
Here is the port configuration:
!
interface FastEthernet0/0
description $FW_OUTSIDE$
ip address 63.234.195.252 255.255.255.248 secondary
ip address 63.234.195.250 255.255.255.248
ip access-group 106 in
no ip redirects
no ip (code )
I can't figure out why .250 is internally-accessible, but .252 isn't. .252 is in the routing table as a directly-connected address, but I also added ip route 63.234.195.252 255.255.255.255 FastEthernet0/0 to the routing table and it still won't go. Everything is controlled by the UC540: The internal servers do not run DNS or DHCP or even a domain. There are no NAT outside rules.
View 1 Replies
View Related
Mar 3, 2013
I have DMZ n/w 192.166.0.0/24 on which i have nated on public ip
-private ip : 192.16.0.201 (OWA)
-public ip : 61.x.x.x.
when i try to access owa(public ip ) from dmz it is not allowing , From what rules i need to set to get work ASA 5510 8.2
View 13 Replies
View Related
Apr 22, 2013
I have a mail archiver (hardware device) in my network that I need to access to from the Ipad/iphone. There is an app for it but I have to allow the access on the ASA. I created an 'object' for the device and added a Static NAT entry for it, then added an access rule. Its not working so I am guessing I did it wrong. The device uses port 8000 which I also added to the object. correct commands, or using the ASDM works too.
View 1 Replies
View Related
Dec 11, 2012
I am working on pix 525, when connected through console I can access the whole internet but when i connect the pc to the inside interface i have no access to the internet. the pc can ping the pix inside interface and from pix i can ping the pc. My configuration is shown below.
PIX Version 7.2(2)
!
hostname pix
domain-name xyz.edu.pk
enable password xxxxxxxx encrypted
[code]....
View 8 Replies
View Related
Aug 21, 2011
What I have is 3 interfaces on my PIX.- Outside: 216.116.87.0/24 (security level 0)
- 469: 172.16.6.0 /24 (security level 10)
- 571: 192.168.255.0 /24 (security level 1)
My users on 571 need to access a web server on the 469 interface. However, the requirements are that the 571 users can only access the Website using the public FQDN which there is a static NAT from outside to 469. [code] Here is also the Packet-Tracer and it shows what I expect that the traffic is source from 571 and exits 469. However, the users are not able to access the website.[code]
View 4 Replies
View Related
Jan 5, 2012
We have an ASA5505 UL bundel, updated with this license "L-ASA5505-SEC-PL=" to enable traffic from DMZ to Inside. No NAT or rules deployed for that yet.
On the Inside we have Exchange 2007 in a single server installation. The public url for smtp, ActiveSync, OWA and Outlook Anywhere is mail.company.se. There is a static NAT for outside traffic to access above mentioned services on inside. Now, on DMZ there is the WLAN for guests to access the Internet. How ever, our Smart Phones with WLAN turned on, cannot sync to the Exchange Server on the Inside! The DMZ gets IP-addressen from ASA on DMZ Interface with external DNS configured. How can I configure the ASA to achieve the function of ActiveSync from DMZ to Inside with the public URL from the phones?
View 15 Replies
View Related
Sep 23, 2012
I am new in ASA, I have the DMZ (10.1.1.0/24) configured on ASA 5520 and I achieve the reach Internet from DMZ (10.1.1.0/24), but now need reach DMZ from inside (172.16.12.0/24) and inside (172.16.12.0/24) from DMZ (10.1.1.0/24), in other words round trip.
View 6 Replies
View Related
