Skip to main content

ASA5505 -- access from internal to internal via external?

More
16 years 7 months ago #25150 by mobocracy
ASA5505 -- access from internal to internal via external? was created by mobocracy
I have an ASA 5505 running 8.0(3). I have three public IPs, one statically natted to a host inside, one assigned to the ASA and one unused.

Is it possible for hosts inside the firewall to access the statically natted host via its public IP?

In other words, when a client inside the firewall resolves www.example.com it returns a public IP, and they can never connect to the site. The inside address works, but with name-based virtual hosting you can't see those sites via IP. There's a dozen other hacks to get around this on the client end, but I'd like to fix on the firewall if possible.

No errors appear generated on the ASA and the packet trace tool indicates this traffic should flow, but it sounds like one of those issues where a flow/access/NAT rule actually makes it not work.
More
16 years 7 months ago #25151 by Smurf
Replied by Smurf on topic Re: ASA5505 -- access from internal to internal via external?
Its known as Hairpinning and it wasn't something that could be done however i have heard that it is now something that you can get the ASA to do.

I beleive the following code will allow this;

[code:1]
same-security-traffic permit inter-interface
[/code:1]

The command
same-security-traffic permit intra-interface i beleive is for IPSec traffic (dont quote me on this though)

Its not usually the way that you do this because its putting more load on the ASA which isn't necessary. The better method would be to have a split DNS and host your FQDN ( www.example.com ) on DNS Servers internally but assign the DNS Records Private IP Addresses.

Cheers
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx

Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
More
16 years 7 months ago #25152 by mobocracy
Replied by mobocracy on topic Re: ASA5505 -- access from internal to internal via external?

Its known as Hairpinning and it wasn't something that could be done however i have heard that it is now something that you can get the ASA to do.

I beleive the following code will allow this;

[code:1]
same-security-traffic permit inter-interface
[/code:1]


Nope, that doesn't work, but intra-interface does allow SSL VPN traffic to hairpin to the internet.

IMHO, all the methods other than hairpinning are a kludge. I suppose I could move the statically natted host I want to get to to a DMZ, but I only have a base license and there's something braindead with the DMZ and the base license.

I can generally live without it, there's a dozen different ways around it (ssh tunneling/outside proxies/route through secondary firewall), but it'd be nicer to just hairpin the traffic.
More
16 years 7 months ago #25155 by Smurf
Replied by Smurf on topic Re: ASA5505 -- access from internal to internal via external?
Hmmm according to literature that should work.

Unfortunately i no longer have an ASA/Pix at my disposal to do some testing as i have recently moved jobs.

If you work it out then please update this post :)

Wayne
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx

Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
More
16 years 7 months ago #25185 by clusterit
Replied by clusterit on topic Re: ASA5505 -- access from internal to internal via external

I have an ASA 5505 running 8.0(3). I have three public IPs, one statically natted to a host inside, one assigned to the ASA and one unused.

Is it possible for hosts inside the firewall to access the statically natted host via its public IP?

In other words, when a client inside the firewall resolves www.example.com it returns a public IP, and they can never connect to the site. The inside address works, but with name-based virtual hosting you can't see those sites via IP. There's a dozen other hacks to get around this on the client end, but I'd like to fix on the firewall if possible.

No errors appear generated on the ASA and the packet trace tool indicates this traffic should flow, but it sounds like one of those issues where a flow/access/NAT rule actually makes it not work.


Greetings mobocracy.
I have a 5505 as well, with only the base licence and 5 static IPs at my disposal. Found your post via a Google search and am hoping that you can tell me how you used that 2nd static IPs of yours for the 5505 itself. Do you know how I can use the additional IPs I have for nating? So far, I have only managed to use 1 static IP.
Many thanks.
Marc
More
16 years 3 months ago #26529 by Byter2k
Replied by Byter2k on topic Re: ASA5505 -- access from internal to internal via external?
Internal DNS server is the best way....but if you don't want to do that then don't bother using hairpinning. Just use DNS doctoring. Do a search on Cisco's site for DocID 71704 and 72273.


Its known as Hairpinning and it wasn't something that could be done however i have heard that it is now something that you can get the ASA to do.

I beleive the following code will allow this;

[code:1]
same-security-traffic permit inter-interface
[/code:1]


Nope, that doesn't work, but intra-interface does allow SSL VPN traffic to hairpin to the internet.

IMHO, all the methods other than hairpinning are a kludge. I suppose I could move the statically natted host I want to get to to a DMZ, but I only have a base license and there's something braindead with the DMZ and the base license.

I can generally live without it, there's a dozen different ways around it (ssh tunneling/outside proxies/route through secondary firewall), but it'd be nicer to just hairpin the traffic.

Time to create page: 0.154 seconds