- Posts: 2
- Thank you received: 0
ASA5505 -- access from internal to internal via external?
Is it possible for hosts inside the firewall to access the statically natted host via its public IP?
In other words, when a client inside the firewall resolves www.example.com it returns a public IP, and they can never connect to the site. The inside address works, but with name-based virtual hosting you can't see those sites via IP. There's a dozen other hacks to get around this on the client end, but I'd like to fix on the firewall if possible.
No errors appear generated on the ASA and the packet trace tool indicates this traffic should flow, but it sounds like one of those issues where a flow/access/NAT rule actually makes it not work.
I beleive the following code will allow this;
[code:1]
same-security-traffic permit inter-interface
[/code:1]
The command
same-security-traffic permit intra-interface i beleive is for IPSec traffic (dont quote me on this though)
Its not usually the way that you do this because its putting more load on the ASA which isn't necessary. The better method would be to have a split DNS and host your FQDN ( www.example.com ) on DNS Servers internally but assign the DNS Records Private IP Addresses.
Cheers
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx
Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
Its known as Hairpinning and it wasn't something that could be done however i have heard that it is now something that you can get the ASA to do.
I beleive the following code will allow this;
[code:1]
same-security-traffic permit inter-interface
[/code:1]
Nope, that doesn't work, but intra-interface does allow SSL VPN traffic to hairpin to the internet.
IMHO, all the methods other than hairpinning are a kludge. I suppose I could move the statically natted host I want to get to to a DMZ, but I only have a base license and there's something braindead with the DMZ and the base license.
I can generally live without it, there's a dozen different ways around it (ssh tunneling/outside proxies/route through secondary firewall), but it'd be nicer to just hairpin the traffic.
Unfortunately i no longer have an ASA/Pix at my disposal to do some testing as i have recently moved jobs.
If you work it out then please update this post
Wayne
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx
Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
I have an ASA 5505 running 8.0(3). I have three public IPs, one statically natted to a host inside, one assigned to the ASA and one unused.
Is it possible for hosts inside the firewall to access the statically natted host via its public IP?
In other words, when a client inside the firewall resolves www.example.com it returns a public IP, and they can never connect to the site. The inside address works, but with name-based virtual hosting you can't see those sites via IP. There's a dozen other hacks to get around this on the client end, but I'd like to fix on the firewall if possible.
No errors appear generated on the ASA and the packet trace tool indicates this traffic should flow, but it sounds like one of those issues where a flow/access/NAT rule actually makes it not work.
Greetings mobocracy.
I have a 5505 as well, with only the base licence and 5 static IPs at my disposal. Found your post via a Google search and am hoping that you can tell me how you used that 2nd static IPs of yours for the 5505 itself. Do you know how I can use the additional IPs I have for nating? So far, I have only managed to use 1 static IP.
Many thanks.
Marc
Its known as Hairpinning and it wasn't something that could be done however i have heard that it is now something that you can get the ASA to do.
I beleive the following code will allow this;
[code:1]
same-security-traffic permit inter-interface
[/code:1]
Nope, that doesn't work, but intra-interface does allow SSL VPN traffic to hairpin to the internet.
IMHO, all the methods other than hairpinning are a kludge. I suppose I could move the statically natted host I want to get to to a DMZ, but I only have a base license and there's something braindead with the DMZ and the base license.
I can generally live without it, there's a dozen different ways around it (ssh tunneling/outside proxies/route through secondary firewall), but it'd be nicer to just hairpin the traffic.