0

My servers are natted 1:1 as follows, i.i.i.i maps to x.x.x.x where i is an internal IP, and x is the external IP.

From an i.i.i.i machine, I cannot access x.x.x.x resources...

What special configuration might be necessary to allow looping out, then back in on these firewalls?

Thanks.

Novox
  • 504
  • 1
  • 9
  • 25
  • Can you ping machines on the opposite side? –  Nov 13 '13 at 15:51
  • ping does not work either (I think that's blocked on my ASA). – Novox Nov 13 '13 at 15:52
  • More information, my config has the following lines: object network Internal_NAT_Range nat (inside,outside) static External_NAT_Range net-to-net A computer within the Internal_NAT_Range cannot access itself basically, via an External_NAT_Range IP. – Novox Nov 13 '13 at 15:53
  • Seems somewhat similar to this issue "http://serverfault.com/questions/487274/cisco-asa-5520-unable-to-access-external-ip-on-internal-network?rq=1", but the non-answer is to reconfigure NAT... – Novox Nov 13 '13 at 15:54
  • Cisco Adaptive Security Appliance Software Version 9.1(2) – Novox Nov 13 '13 at 15:55
  • I noticed this marked as duplicate (thank you @michael-hampton), however, since I cannot add comments to the original question, can anyone confirm if the 3 (4) solutions provided are really the only ones? Is it really not possible to reach my outside interface from my inside interface? – Novox Nov 13 '13 at 21:09
  • I enabled DNS doctoring, but I'm hosting reverse DNS internally, and when an external service tries to check the hostname for an external IP, it always mismatches (like reverse IP lookup for a mail server)... it appears that the nslookup external IP is being translated to the internal IP, and therefore, is always mismatched. Any suggestions for this scenario? – Novox Nov 15 '13 at 14:15

2 Answers2

0

Found this, "http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968d1.shtml" It explains "DNS Doctoring" which causes DNS lookups to be translated from the external IP to the internal IP, and therefore allows me to access internal servers (but isn't exactly the solution I was looking for).

Novox
  • 504
  • 1
  • 9
  • 25
0

Allowing traffic back through an interface on a Cisco PIX/ASA appliance, such as when a client accesses a nat:ed server through its public ip is called NAT Hairpinning.

It uses essentially the same configuration parameters as usual, but with the addition of this command:

same-security-traffic permit intra-interface

and a second static mapping for inside-to-inside traffic to the server:

static(inside,inside) i.i.i.i x.x.x.x

This is described in detail complete with a configuration example here for a two-interface design: http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968d1.shtml#solution2

And here is a Destination NAT alternative for a three-interface design: http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968c8.shtml#solution2

ErikE
  • 4,676
  • 1
  • 19
  • 25
  • @michael: The question you reference does not address the 4th possibility of hairpinning, which is a technical solution distinct from the three others, as configured on a cisco firewall. May I therefore suggest to either let this question remain or to update the other with a nat hairpinning solution. As I am new to this forum I am uncertain of acceptable procedures but am open for direction. \[EDIT\] I posted the answer to the other site as well, just in case duplicates are marked for deletion. – ErikE Nov 13 '13 at 22:02
  • I enabled DNS doctoring, but I'm hosting reverse DNS internally, and when an external service tries to check the hostname for an external IP, it always mismatches (like reverse IP lookup for a mail server)... it appears that the nslookup external IP is being translated to the internal IP, and therefore, is always mismatched. Any suggestions for this scenario? I am looking into NAT Hairpinning, but the "static" command (by itself) doesn't appear to be an option for IOS 9.1. How would I do this in IOS 9.1? – Novox Nov 15 '13 at 14:37