10

We are trying to configure our Cisco 5505, and it has been done through ASDM.

There is one big problem that we're not able to solve, and that's when you go from inside to outside and back in again.

Example, we have a server "inside" and we want to be able to reach this server with the same adress if we're on the inside or if we're on the outside.

The problem is adding a rule that will allow traffic from inside to outside and then back in again.

Wesley
  • 32,320
  • 9
  • 80
  • 116
Fore
  • 213
  • 1
  • 2
  • 6
  • There's no way we can help you with such little information, ASA's are complex, you need a network guy to configure this for you otherwise it'll stop working at the worst time possible or you'll get hacked. – Chopper3 Jun 22 '11 at 11:20
  • Off-topic: You should look into upgrading that ASA to a newer software release, as all new documentation/how-to's are written for 8.x – pauska Jun 22 '11 at 11:31
  • pauska, we thought about it, and tried to get the latest firmware, but stopped since it seemed to cost extra, but perhaps it's worth it! – Fore Jun 22 '11 at 14:19

3 Answers3

17

The ASA firewall can not route traffic. You need to masq the inside address against the external address.

Solution 1: DNS doctoring with static NAT

Let's say your external website IP address is 1.2.3.4, wich then again is port-forwarded (or directly NAT'ed) to the internal IP address 192.168.0.10. With DNS doctoring, the following will happen:

  1. The client on the inside requests http://www.companyweb.com, wich originally translates to 1.2.3.4
  2. The ASA intercepts the DNS reply packet, and replaces the A-record with 192.168.0.10
  3. The client gets very happy, as it now can open up the company web site :-)

For more detailed info on how you enable this: http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968d1.shtml

Solution 2: Internal DNS server

This one is useful if you only have one external IP, and you port-forward this IP to many internal services on different servers (Let's say port 80 and 443 goes to 192.168.0.10, port 25 goes to 192.168.0.11 etc).

It requires no configuration change on the ASA, but it will require you to duplicate your external domain on a internal DNS server (Active Directory has this built in). You just create the exact same records as you have now, only with internal IP's on the services you have internally.

"Solution" 3: DMZ interface with public IP's

I'm not going to get into much details on this one, as it requires you to get a subnet of IP adresses from your ISP routed to your ASA. It's very hard these days with the IPv4 starvation.

pauska
  • 19,532
  • 4
  • 55
  • 75
  • Nice Answer. +1 – Carlos Garcia Jun 22 '11 at 12:08
  • Thanks a bunch for the nice answere, I think we will go for the internal dns system. And considering buying an upgrade on the asa – Fore Jun 22 '11 at 15:03
  • 1
    I've realized #1 works great *if* I have a DNS inspection map. On the ASA firewalls where I didn't have the inspection map, this failed (`fixup protocol dns` works, too). Thanks for getting me to look into this deeper. – ewwhite Mar 05 '14 at 15:31
3

As other similar questions are being marked as duplicates with a reference to here, I wish to complement the excellent answer by @pauska with a 4th option.

Solution 4: Routing the traffic through NAT Hairpinning

Allowing traffic back through an interface on a Cisco PIX/ASA appliance, such as when a nat:ed client accesses a nat:ed server through its public ip is called NAT Hairpinning by Cisco.

It uses essentially the same configuration parameters as usual for nat and port forwarding, but with the addition of this command:

same-security-traffic permit intra-interface

and a second static mapping for inside-to-inside traffic to the server:

static(inside,inside) i.i.i.i x.x.x.x

This is described in detail complete with a configuration example here for a two-interface design: http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968d1.shtml#solution2

And here is a Destination NAT alternative for a three-interface design: http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968c8.shtml#solution2

ErikE
  • 4,676
  • 1
  • 19
  • 25
1

You can't access the outside interface on a Pix/ASA from the inside. You should redirect DNS requests for the server's outside address to the internal address.

ewwhite
  • 194,921
  • 91
  • 434
  • 799