Hot Downloads

Welcome, Guest
Username: Password: Remember me

TOPIC: ASA5505 -- access from internal to internal via external?

ASA5505 -- access from internal to internal via external? 8 years 9 months ago #25150

  • mobocracy
  • mobocracy's Avatar
  • Offline
  • New Member
  • Posts: 2
  • Karma: 0
I have an ASA 5505 running 8.0(3). I have three public IPs, one statically natted to a host inside, one assigned to the ASA and one unused.

Is it possible for hosts inside the firewall to access the statically natted host via its public IP?

In other words, when a client inside the firewall resolves www.example.com it returns a public IP, and they can never connect to the site. The inside address works, but with name-based virtual hosting you can't see those sites via IP. There's a dozen other hacks to get around this on the client end, but I'd like to fix on the firewall if possible.

No errors appear generated on the ASA and the packet trace tool indicates this traffic should flow, but it sounds like one of those issues where a flow/access/NAT rule actually makes it not work.
The administrator has disabled public write access.

Re: ASA5505 -- access from internal to internal via external? 8 years 9 months ago #25151

  • Smurf
  • Smurf's Avatar
  • Offline
  • Moderator
  • Posts: 1390
  • Karma: 1
Its known as Hairpinning and it wasn't something that could be done however i have heard that it is now something that you can get the ASA to do.

I beleive the following code will allow this;

[code:1]
same-security-traffic permit inter-interface
[/code:1]

The command
same-security-traffic permit intra-interface i beleive is for IPSec traffic (dont quote me on this though)

Its not usually the way that you do this because its putting more load on the ASA which isn't necessary. The better method would be to have a split DNS and host your FQDN (www.example.com) on DNS Servers internally but assign the DNS Records Private IP Addresses.

Cheers
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx

Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
The administrator has disabled public write access.

Re: ASA5505 -- access from internal to internal via external? 8 years 9 months ago #25152

  • mobocracy
  • mobocracy's Avatar
  • Offline
  • New Member
  • Posts: 2
  • Karma: 0
Its known as Hairpinning and it wasn't something that could be done however i have heard that it is now something that you can get the ASA to do.

I beleive the following code will allow this;

[code:1]
same-security-traffic permit inter-interface
[/code:1]

Nope, that doesn't work, but intra-interface does allow SSL VPN traffic to hairpin to the internet.

IMHO, all the methods other than hairpinning are a kludge. I suppose I could move the statically natted host I want to get to to a DMZ, but I only have a base license and there's something braindead with the DMZ and the base license.

I can generally live without it, there's a dozen different ways around it (ssh tunneling/outside proxies/route through secondary firewall), but it'd be nicer to just hairpin the traffic.
The administrator has disabled public write access.

Re: ASA5505 -- access from internal to internal via external? 8 years 9 months ago #25155

  • Smurf
  • Smurf's Avatar
  • Offline
  • Moderator
  • Posts: 1390
  • Karma: 1
Hmmm according to literature that should work.

Unfortunately i no longer have an ASA/Pix at my disposal to do some testing as i have recently moved jobs.

If you work it out then please update this post :)

Wayne
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx

Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
The administrator has disabled public write access.

Re: ASA5505 -- access from internal to internal via external 8 years 9 months ago #25185

  • clusterit
  • clusterit's Avatar
  • Offline
  • New Member
  • Posts: 5
  • Karma: 0
I have an ASA 5505 running 8.0(3). I have three public IPs, one statically natted to a host inside, one assigned to the ASA and one unused.

Is it possible for hosts inside the firewall to access the statically natted host via its public IP?

In other words, when a client inside the firewall resolves www.example.com it returns a public IP, and they can never connect to the site. The inside address works, but with name-based virtual hosting you can't see those sites via IP. There's a dozen other hacks to get around this on the client end, but I'd like to fix on the firewall if possible.

No errors appear generated on the ASA and the packet trace tool indicates this traffic should flow, but it sounds like one of those issues where a flow/access/NAT rule actually makes it not work.

Greetings mobocracy.
I have a 5505 as well, with only the base licence and 5 static IPs at my disposal. Found your post via a Google search and am hoping that you can tell me how you used that 2nd static IPs of yours for the 5505 itself. Do you know how I can use the additional IPs I have for nating? So far, I have only managed to use 1 static IP.
Many thanks.
Marc
The administrator has disabled public write access.

Re: ASA5505 -- access from internal to internal via external? 8 years 5 months ago #26529

  • Byter2k
  • Byter2k's Avatar
  • Offline
  • New Member
  • Posts: 1
  • Karma: 0
Internal DNS server is the best way....but if you don't want to do that then don't bother using hairpinning. Just use DNS doctoring. Do a search on Cisco's site for DocID 71704 and 72273.


Its known as Hairpinning and it wasn't something that could be done however i have heard that it is now something that you can get the ASA to do.

I beleive the following code will allow this;

[code:1]
same-security-traffic permit inter-interface
[/code:1]

Nope, that doesn't work, but intra-interface does allow SSL VPN traffic to hairpin to the internet.

IMHO, all the methods other than hairpinning are a kludge. I suppose I could move the statically natted host I want to get to to a DMZ, but I only have a base license and there's something braindead with the DMZ and the base license.

I can generally live without it, there's a dozen different ways around it (ssh tunneling/outside proxies/route through secondary firewall), but it'd be nicer to just hairpin the traffic.
The administrator has disabled public write access.
Time to create page: 0.085 seconds

CCENT/CCNA

Cisco Routers

  • SSL WebVPN
  • Securing Routers
  • Policy Based Routing
  • Router on-a-Stick

VPN Security

  • Understand DMVPN
  • GRE/IPSec Configuration
  • Site-to-Site IPSec VPN
  • IPSec Modes

Cisco Help

  • VPN Client Windows 8
  • VPN Client Windows 7
  • CCP Display Problem
  • Cisco Support App.

Windows 2012

  • New Features
  • Licensing
  • Hyper-V / VDI
  • Install Hyper-V

Linux

  • File Permissions
  • Webmin
  • Groups - Users
  • Samba Setup