[Last Call] Learn how to a build a cloud-first strategyRegister Now


Cisco-ASA 5505 - NAT works but same public IP can not be reach from inside

Posted on 2009-02-18
Medium Priority
Last Modified: 2012-05-06
Hi There:
I used following command to make my internal web application be accessible from the Internet using a Public IP, and it works, I can see the web site from Internet using the Public IP, But I can not use the same public IP to connect to the site from inside, I don't want to have two different IP for the internal and external use. How can I use the public IP even from inside?
Same problem for Ping, the following ping command works from outside but not from inside,
Thanks a lot in advance -  

Command used for NAT:
access-list outside_access_in extended permit tcp any interface outside eq 8080
static (inside,outside) tcp interface 8080 8080 netmask
access-group outside_access_in in interface outside

Command used for Ping:
access-list outside_access_in extended permit icmp any any echo-reply

ASA Version 8.0(4) 
hostname xxxASA
domain-name xxxdomain.com
enable password xYZ.AoCGaJu/Udrz encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
interface Vlan1
 nameif inside
 security-level 100
 ip address 
interface Vlan2
 nameif outside
 security-level 0
 ip address 
interface Ethernet0/0
 switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
ftp mode passive
clock timezone GMT 0
dns domain-lookup outside
dns server-group DefaultDNS
 domain-name disternetdomain.com
access-list outside_access_in extended permit tcp any interface outside eq www 
access-list outside_access_in extended permit tcp any interface outside eq 8080 
access-list outside_access_in extended permit icmp any any echo-reply 
access-list inside_access_in extended permit ip any any 
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-613.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1
static (inside,outside) tcp interface www www netmask 
static (inside,outside) tcp interface 8080 8080 netmask 
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
class-map inspection_default
 match default-inspection-traffic
policy-map type inspect dns preset_dns_map
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
service-policy global_policy global
prompt hostname context 
: end

Open in new window

Question by:esasan
  • 2
  • 2
LVL 23

Expert Comment

ID: 23676827
couple of solutions come to mind:

1) if your ASA has recent firmware, you should be able to configure reverse nat translation to allow traffic out, then back in.. This is obviously a security concern and will need managing as fixup's are not applied in reverse.

2) you could place an entry in your internal DNS server to reflect the inside IP address for that particular external IP. - this would be the easiest.

3) If host headers are involved, step 2 would not work, you may need to provide host file updates to all clients to map a new URL address for that server.

This previous discussion should help:
LVL 25

Expert Comment

ID: 23677412
Packets can't go in and out the same interface on a PIX/ASA ever.  The recommended way to fix your issue is to give the public server its own IP and do a NAT so that you can use the 'dns' keyword to enable DNS doctoring.  

The only option you have otherwise is to try either option 2 or 3 from debuggerau.

here's why the firewall can't do what you want.  Since the inside host wants to go to the Public IP it sends a packet to that public IP.  When the packet hits the ASA it knows the packet is destined to go out the outside interface.  so it looks up how to translate the IPs via the global/nat and static commands.  While you can probably use the outside keyword to get it to translate the public IP to the inside IP of the server, it would still try to send it out the outside interface.  It woudl then try to route it back in the outside interface (my guessing of the process anyway) and it would drop it then.  Even if it did re-read the routing table and send it back to the inside interface it would drop it then because it came in from that direction.  So no matter what you can't get it to work unless you have a separate public IP for the server, use an internal DNS for your network, or inject a correct record to all your inside hosts.
LVL 23

Expert Comment

ID: 23688716

Author Comment

ID: 23697976
Thanks a lot for your responses,
I have one extra public IP address, what would be the next step?
Can you explain:
"so that you can use the 'dns' keyword to enable DNS doctoring."? how is that?

LVL 25

Accepted Solution

Cyclops3590 earned 2000 total points
ID: 23698102
currently you have this
>>static (inside,outside) tcp interface www www netmask

you would modify it to be this
static (inside,outside) dns

where is the extra public IP.  you'll have to update the acl so that its the correct public IP being allowed now.  But what this does then is when an inside host does a DNS query for the public server fqdn, the response from the public DNS server will return the public IP.  When the response packet gets to the ASA, it knows that the public IP maps to so it alters the DNS response; taking out the public IP and putting in the private IP.  Then it delivers to the inside host so the host tries to connect to the inside IP directly and removing the issue you're currently seeing.

Featured Post


Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this tutorial I will show you with short command examples how to obtain a packet footprint of all traffic flowing thru your Juniper device running ScreenOS. I do not know the exact firmware requirement, but I think the fprofile command is availab…
A 2007 NCSA Cyber Security survey revealed that a mere 4% of the population has a full understanding of firewalls. As business owner, you should be part of that 4% that has a full understanding.
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses

831 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question