Eric_PSU
asked on
From inside network, connect to inside host using public outside IP
This isn't exactly a hairpinning question like it sounds. I have a Cisco ASA 5510 running firmware version 8.2(1) with 2 interfaces named "inside" and "guest", plus an outside interface going to the internet via our ISP's router. What i can't seem to figure out is how I can allow a host on the "guest" network to connect to a host on the "inside" network using that "inside" network host's public nat'd ip address.
For example, lets say I want host 192.168.4.4 to be able to connect to 192.168.3.123 using the IP 1.1.1.4.
I thought adding these two lines would work:
static (inside,guest) 1.1.1.4 192.168.3.123 netmask 255.255.255.255
access-list guest_in line 1 extended permit tcp 192.168.4.0 255.255.255.0 host 1.1.1.4 eq www
The ASA seems to be dropping the traffic even with those lines added to the configuration. What am I missing?
Thanks
For example, lets say I want host 192.168.4.4 to be able to connect to 192.168.3.123 using the IP 1.1.1.4.
I thought adding these two lines would work:
static (inside,guest) 1.1.1.4 192.168.3.123 netmask 255.255.255.255
access-list guest_in line 1 extended permit tcp 192.168.4.0 255.255.255.0 host 1.1.1.4 eq www
The ASA seems to be dropping the traffic even with those lines added to the configuration. What am I missing?
Thanks
interface Ethernet0/0
nameif inside
security-level 100
ip address 192.168.3.1 255.255.255.0
interface Ethernet0/1
nameif outside
security-level 0
ip address 1.1.1.2 255.255.255.0
interface Ethernet0/2
nameif guest
security-level 50
ip address 192.168.4.1 255.255.255.0
access-list inside_in extended permit ip any any
access-list outside_in extended permit tcp any host 1.1.1.4 eq www
access-list guest_in extended permit tcp 192.168.4.0 255.255.255.0 host 192.168.3.123 eq www
access-list guest_in extended deny ip 192.168.4.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list guest_in extended permit ip 192.168.4.0 255.255.255.0 any
access-list no_nat_inside extended permit ip 192.168.3.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list no_nat_guest extended permit ip 192.168.4.0 255.255.255.0 192.168.3.0 255.255.255.0
nat-control
global (outside) 1 1.1.1.3
global (inside) 1 interface
nat (inside) 0 access-list no_nat_inside
nat (inside) 1 192.168.3.0 255.255.255.0
nat (guest) 0 access-list no_nat_guest
nat (guest) 1 192.168.4.0 255.255.255.0
static (inside,outside) 1.1.1.4 192.168.3.123 netmask 255.255.255.255
static (inside,inside) 1.1.1.4 192.168.3.123 netmask 255.255.255.255
same-security-traffic permit intra-interface
access-group inside_in in interface inside
access-group outside_in in interface outside
access-group guest_in in interface guest
route outside 0.0.0.0 0.0.0.0 1.1.1.1 1
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
This is dns doctoring:
static (inside,outside) PUBLIC_IP INSIDE_IP netmask 255.255.255.255 dns
Then your guests can use host.domain.com and the ASA should translate it for them.
static (inside,outside) PUBLIC_IP INSIDE_IP netmask 255.255.255.255 dns
Then your guests can use host.domain.com and the ASA should translate it for them.
ASKER
Unfortunately I don't think DNS doctoring will work for this application. The inside host I want to connect to is a camera. It connects to the manufacturer's server out on the internet and updates its public IP address. When a user connects to the manufacturer's site, they see a list of their registered cameras, and the user is able to connect to live video using the public IP the server last saw from the camera. This all works great as long as the user is outside our network or on our "inside" network.
Another way i've got this to work is creating a static NAT for your "guest" hosts rather than using PAT. I know its not ideal if you have a load of hosts on that segment , but if there only a couple that need this access it could be a simple solution for you.
Your ACLs are pretty much wide open so you should only need to configure the statics to allow the access
For example..
static (guest,outside) 1.1.1.5 192.168.4.2 netmask 255.255.255.255
static (guest,outside) 1.1.1.6 192.168.4.3 netmask 255.255.255.255
etc..
Your ACLs are pretty much wide open so you should only need to configure the statics to allow the access
For example..
static (guest,outside) 1.1.1.5 192.168.4.2 netmask 255.255.255.255
static (guest,outside) 1.1.1.6 192.168.4.3 netmask 255.255.255.255
etc..
static (inside,guest) 1.1.1.4 192.168.3.123 netmask 255.255.255.255
above command will not work because ASA can see 1.1.1.0/24 associated to outside interface , not the guest interface. ASA will drop the packet ,
actual static command has to be like below.
static (real_interface,mapped_int erface) mapped_ip real_ip
your command will be valid if it is like below
static (inside,outside) 1.1.1.4 192.168.3.123 netmask 255.255.255.255
above command will not work because ASA can see 1.1.1.0/24 associated to outside interface , not the guest interface. ASA will drop the packet ,
actual static command has to be like below.
static (real_interface,mapped_int
your command will be valid if it is like below
static (inside,outside) 1.1.1.4 192.168.3.123 netmask 255.255.255.255
ASKER
I think I figured it out myself. It's working with the attached commands entered. Thanks for the help all. I'm giving credit to Willsadventures since he was correct that the ASA was confused due to the traffic matching the no_nat access-lists.
access-list no_nat_inside extended permit ip 192.168.3.0 255.255.255.192 192.168.4.0 255.255.255.0
access-list no_nat_inside extended permit ip 192.168.3.64 255.255.255.224 192.168.4.0 255.255.255.0
access-list no_nat_inside extended permit ip 192.168.3.96 255.255.255.240 192.168.4.0 255.255.255.0
access-list no_nat_inside extended permit ip 192.168.3.112 255.255.255.248 192.168.4.0 255.255.255.0
access-list no_nat_inside extended permit ip 192.168.3.120 255.255.255.254 192.168.4.0 255.255.255.0
access-list no_nat_inside extended permit ip 192.168.3.122 255.255.255.255 192.168.4.0 255.255.255.0
access-list no_nat_inside extended permit ip 192.168.3.124 255.255.255.252 192.168.4.0 255.255.255.0
access-list no_nat_inside extended permit ip 192.168.3.128 255.255.255.128 192.168.4.0 255.255.255.0
access-list no_nat_guest extended permit ip 192.168.4.0 255.255.255.0 192.168.3.0 255.255.255.192
access-list no_nat_guest extended permit ip 192.168.4.0 255.255.255.0 192.168.3.64 255.255.255.224
access-list no_nat_guest extended permit ip 192.168.4.0 255.255.255.0 192.168.3.96 255.255.255.240
access-list no_nat_guest extended permit ip 192.168.4.0 255.255.255.0 192.168.3.112 255.255.255.248
access-list no_nat_guest extended permit ip 192.168.4.0 255.255.255.0 192.168.3.120 255.255.255.254
access-list no_nat_guest extended permit ip 192.168.4.0 255.255.255.0 192.168.3.122 255.255.255.255
access-list no_nat_guest extended permit ip 192.168.4.0 255.255.255.0 192.168.3.124 255.255.255.252
access-list no_nat_guest extended permit ip 192.168.4.0 255.255.255.0 192.168.3.128 255.255.255.128
no access-list no_nat_inside extended permit ip 192.168.3.0 255.255.255.0 192.168.4.0 255.255.255.0
no access-list no_nat_guest extended permit ip 192.168.4.0 255.255.255.0 192.168.3.0 255.255.255.0
Glad I was able to help
Or, disable NAT between the guest IPs and that inside IP, update the guest hosts file so that the FQDN points to the private IP.