Solved

How do I permit passthru on a Cisco ASA 5505

Posted on 2010-09-18
8
363 Views
Last Modified: 2012-05-10
Hi, I have a ciscoe asa 5505 firewall.  I have it all configured so that everyone works great, except I can have a server communicate with itself using any outside IP.  I am curious to know how I can do this.  Any option that will work is excellent.  The server is nothing that needs to be secured or firewalled really, the basics of any protection it would need can be handled via software firewall, if an issues arrises.  Also I have more than one external ip, in fact I have one for machine on the inside, so giving that particular machine an static assigned external ip is not an issue.  I basically just need to be able to set the external ip with a listening port so that people from outside can access it, but at the same time I need for that machine itself to be able to verify that the service is readable.  So it needs to be able to communicate with itself on the outside IP address.  Screwy program I know.  Any help is greatly appreciated.
0
Comment
Question by:danvilleadmin
  • 3
  • 3
  • 2
8 Comments
 
LVL 24

Expert Comment

by:rfc1180
ID: 33707947
With DNS rewrite or NAT hairpinning

Are you connecting to public IP by DNS hostname?  If so, is the name resolved externally or via internal DNS servers?  If external, you can use DNS doctoring to rewrite the DNS response to the internal IP address.  This is a better option if possible versus hairpinning as the client to server traffic stays on the LAN and the ASA never sees it.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968d1.shtml

Billy
0
 
LVL 17

Accepted Solution

by:
Kvistofta earned 500 total points
ID: 33707952
One of the basic rules/limitations of ASA is: An inside host cannot communicate with another inside host by calling an outside ip. It simply doesnt work that way. Your question applies to this, the fact that the inside host is the same as the called host doesnt change anything.

What you can (or cant, depending on your application) is to fool the host with DNS. Either an internal DNS that resovles a domain name to an internal ip or an external DNS-server and doa dns-doctoring in the static-command.

If the application really requires to do this I would recommend putting the server behind an asa in transparent mode. By doing that you can still protect it but you can give the server an public ip so that it can "call" its own public IP. By doing this you dont do any address translation in your transparent firewall.

Anyhow, you need to do a workaround in some way or other, because exactly what you requests cannot be done in ASA. Sorry.

/Kvistofta
0
 

Author Comment

by:danvilleadmin
ID: 33708024
Kvisofta, the idea of putting the server bhind an asa in transparent mode is perfectly fine with me.  Can you by any chance give any input on how this can be done, sorry, my experience with Cisco has never been with an asa until now.

rfc1180, no its by ip not by dns.
0
 
LVL 24

Expert Comment

by:rfc1180
ID: 33708037
>rfc1180, no its by ip not by dns.

Alternative Solution: Hairpinning
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968d1.shtml#solution2

Billy
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 
LVL 17

Expert Comment

by:Kvistofta
ID: 33708137
Have a look at this documentation for explaining ASA in transparent mode:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008089f467.shtml

Basically, you put it "invisible" with 2 interfaces on the same network segment and do port-filtering in the firewall for all traffic passing the "stealth mode" firewall.

/Kvistofta
0
 

Author Comment

by:danvilleadmin
ID: 33708360
Ok I'm reading thru the page on ASA in Transparent mode...it appears this is only going to apply to the whole ASA and not just the one server is that correct???  I really need to have the majority of the network behind the ASA as is now, but the one server on the outside.
0
 
LVL 17

Expert Comment

by:Kvistofta
ID: 33708513
Yes, that is correct.

/Kvistofta
0
 

Author Comment

by:danvilleadmin
ID: 33709051
Any suggestion that would allow me to only affect one pc
0

Featured Post

Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Edgemax OS VPN, to Barracuda Link Balancer 7 89
ipsec tunnel comme not up 10 26
Gateway Resilience 4 23
EIGRP Configuration 2 18
The Cisco RV042 router is a popular small network interfacing device that is often used as an internet gateway. Network administrators need to get at the management interface to make settings, change passwords, etc. This access is generally done usi…
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now