• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 577
  • Last Modified:

How do I route data back into my internal network when its destination is a NAT'd IP on my ASA?

Hi all

We've recently implemented an ASA firewall on a new internet link, and there is one interesting problem I'm trying to figure out how to get around.

When users on hosts on the inside interface of the network attempt to connect to public IP addresses which are routed to our ASA by our ISP, it seems that the packets first go out to the internet then back in again. This wastes bandwidth and costs us money.

An example is the following lines:

access-list outside_access_in extended permit tcp any host EXT-HCHMAIL object-group IN-HCHMAIL
static (inside,outside) EXT-HCHMAIL INT-HCHMAIL netmask 255.255.255.255

This works fine from both sides (as we have an ACL allowing all access to this range on the inside interface). However it sends the traffic out to our ISP before they route it back to us. Our routes on the ASA are:

route outside 0.0.0.0 0.0.0.0 139.130.117.161 1
route inside 10.0.0.0 255.0.0.0 10.0.0.1 1

Is there a way to tell the ASA to check its own NAT rules before routing the traffic out and it comes back in again? I know on my core router I could just set up NAT rules or routes to secondary IP addresses on my internal servers, however this seems like a lot of doubling up of config'ing.

Thanks for any help and advice on best practices here.

Brett.
0
brettrandall
Asked:
brettrandall
  • 4
  • 4
  • 4
2 Solutions
 
Brain2000Commented:
I call this one the "out and back".  Some ISP's don't even allow this.  The only effective way I've found around this is to set your internal DNS entries on your internal DNS server, and set your external DNS entries on your external DNS server.

So let's say you host a website, internal.abc.com.  And the IP address is 1.2.3.4.  Internally, it might be 192.168.0.5.  So you will want to set up DNS to point to 192.168.0.5 inside your network, but host 1.2.3.4 on an external DNS for the rest of the world.

You could also push static HOSTS files instead of the internal DNS server...

In 10 years I've not found a better way yet.  If anyone else knows of one, please let me know too.
0
 
brettrandallAuthor Commented:
Yeah, I'd prefer not to have multiple DNS zones for the same domain, but I guess it would be easier to manage than virtual NICs on my servers with the public IP addresses attached. I'm going to wait a little longer in the hope that someone may have a solution that doesn't involve this before I accept, though thanks for the suggestion, it may yet be the best way forward.
0
 
Brain2000Commented:
I agree with you, I'd love to know a better way.  If someone finds a way, they deserve all the points+++
0
Get Cisco Certified in IT Security

There’s a high demand for IT security experts and network administrators who can safeguard the data that individuals, corporations, and governments rely on every day. Pursue your B.S. in Network Operations and Security and gain the credentials you need for this high-growth field.

 
dcradduckCommented:
what model ASA?
what size IP block do you have from your service provider?
are your servers publicly addressed or static NATted?  how many are there?

if you can send a diagram it would help to understand your current environment and how to fix it.

best practice is usually to set your public facing servers in a DMZ network - i can help further if i have the details above.
0
 
brettrandallAuthor Commented:
Its an ASA5510. We have a /26 from the provider, and we static NAT about 10 hosts at the moment. Our connection to the ISP is actually via a small /30 network, and they route the /26 to our CE address on the ASA.

Don't really have any diagrams I can send out, but it is basically:

SERVER (Internal IP)  ->  Cat 6500 (VLAN 3 - server VLAN)  -> ASA5510 (also on VLAN 3) -> ISP

So coming back in, it follows the same route, except the ASA statically NATs our public IPs to the relevant internal IPs.

Hope this helps. DMZ would make sense, however all the servers only have two NICs which are in an active/active configuration. I'm guessing we'd either have to install new NICs (not possible - blade servers) or set up some type of VLANing which these servers support (some are on ESX so this would be easy, others are not so this would be more difficult).

Thanks
0
 
Brain2000Commented:
Here's the problems I've run into when trying to do an out and back.

1) The external IP address is only answered by the outside interface on the router, so the packet has to go to the router to get to it.
2) The router must NAT from the outside to inside interface in order to get the packet to the internal server that represents the public IP address.
3) Cisco will only NAT when you transition from an inside -> outside or outside->inside NAT interface.  That means the packet has to go out and back in.  But we need it to not transmit and we need it to come back in sourced from a different subnet so the internal server will return back to the router to be de-NATed.
4) Unless a different subnet is used from the router back in, the internal server will not send the packet back to the router, but instead short circuit it to the original sender's IP on the LAN.  That means you'll send a packet to the external IP address, but receive it back on the internal address.  Chances are you're computer is not going to process that packet.

You might be able to set up another router off the side of the ASA in the DMZ that acts as nothing more than a reflector.  Instead of going to the ISP, it would bounce all external requests off the reflector.
0
 
dcradduckCommented:
Hi Brett,

When you say the servers only have two NICs in an active/active configuration, can you explain in a little more detail? Are they bonded? Etherchannel?  Are they active on different VLANs?

Thanks,
brian
0
 
brettrandallAuthor Commented:
Thanks Brain2000 for the explanation - that helps a lot. May be an idea...

Brian the NICs are bonded within the OS. Both are active (up to 2gbps between them) but if one uplink or NIC fails, the other will keep operating in a failover mode. We don't currently have VLAN trunking enabled on those switchports.
0
 
dcradduckCommented:
Hi Brett,

If both NICS are on a curently single VLAN (3), they could be publicly addressed and moved to the WEB-DMZ VLAN (4) without issue.

0
 
brettrandallAuthor Commented:
Thanks Brian - this is not a simple short-term solution but may just do what we need with some planning, and would help us get a proper DMZ into place which we haven't done before.

Appreciate your help.
0
 
Brain2000Commented:
I was kind of hoping that someone would have a superman answer for this one.  We have not been able to move our servers to the DMZ because we have sensitive data on them.  So we must leave them behind pinholed nats and continue to use internal DNS.

Good luck to you!
0
 
dcradduckCommented:
Hi Brain2000,

Are you in a linux or windows environment?  You mentioned the best way before as pushing a HOSTS file with local addresses - with a W2kx environment I know you can simply have all of your internal hosts use your AD/DNS server as primary DNS and have your A records resolve to the internal address of the server.  Since outside users don't use or see your internal DNS server, they obviously would resolve to the proper public address.  This would keep your internal traffic on your local LAN.

-brian
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Identify and Prevent Potential Cyber-threats

Become the white hat who helps safeguard our interconnected world. Transform your career future by earning your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

  • 4
  • 4
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now