garyoh
asked on
Cisco ASA routing issue
I have a Cisco ASA 5505 to install. My network has a server (Server A) behind the firewall with a private ip of 192.168.1.1 and it is NAT'ed to (bogus address for example only) 123.123.123.1. Sales people will use a web app in a hosted environment in another state at (again bogus IP for example) 231.231.231.9. The web app communicates with Server A to provide data to the web app. This works just fine until the web app builds a PDF report at the end of it's work and provides a button to download the PDF. The PDF button references the 123.123.123.1 location with a subdirectory. When a salesperson is outside the LAN, he is able to click the button and poof, the PDF appears, pulled from Server A. But when a salesperson is inside the LAN, the connection will time out, because it is referencing the public IP. This is a tad beyond me. Can anyone help?
ASKER
The URL of the pdf is an IP address, not a hostname. What part of the sho run do you need? Would prefer to post only the necessary or I can remove the private stuff.
ASKER
I should mention existing old sonicwall will do this just fine
Some hairpinning might help. An exmaple:
!--- Output suppressed.
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 192.168.0.192 255.255.255.0
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 172.16.0.1 255.255.0.0
!
!--- Output suppressed.
!
same-security-traffic permit intra-interface
access-list outside_in extended permit icmp any any
access-list outside_in extended permit tcp any any
!
!--- Output suppressed.
!
global (outside) 1 interface
global (inside) 1 interface
nat (inside) 1 172.16.0.0 255.255.0.0
static (inside,outside) 192.168.0.193 172.16.0.10 netmask 255.255.255.255
static (inside,inside) 192.168.0.193 172.16.0.10 netmask 255.255.255.255
access-group outside_in in interface outside
!
!--- Output suppressed
Source: http://ckdake.com/content/2009/hairpinning-with-a-cisco-asa.html
!--- Output suppressed.
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 192.168.0.192 255.255.255.0
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 172.16.0.1 255.255.0.0
!
!--- Output suppressed.
!
same-security-traffic permit intra-interface
access-list outside_in extended permit icmp any any
access-list outside_in extended permit tcp any any
!
!--- Output suppressed.
!
global (outside) 1 interface
global (inside) 1 interface
nat (inside) 1 172.16.0.0 255.255.0.0
static (inside,outside) 192.168.0.193 172.16.0.10 netmask 255.255.255.255
static (inside,inside) 192.168.0.193 172.16.0.10 netmask 255.255.255.255
access-group outside_in in interface outside
!
!--- Output suppressed
Source: http://ckdake.com/content/2009/hairpinning-with-a-cisco-asa.html
The ASA will not let you access an address that is on the outside interface of the firewall from the inside interface of the firewall.
I would suggest changing the application so tht it connects to a hostname and either using DNS re-write on the ASA or having an internal copy of the zone for the domain that references the internal address.
The "block" on the ASA is specifically designed to stop spoofing attacks and cannot be overridden. Sonicwall _do_ allow this type of configuration.
I would suggest changing the application so tht it connects to a hostname and either using DNS re-write on the ASA or having an internal copy of the zone for the domain that references the internal address.
The "block" on the ASA is specifically designed to stop spoofing attacks and cannot be overridden. Sonicwall _do_ allow this type of configuration.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Could you show us what they did exactly?
Just being curious here.
Just being curious here.
ASKER
Cisco made this work for me.
The URL to the pdf, does it contain a hostname or an ip-address? You need to use a hostname and make sure that the inside hosts resolves the hostname to the internal ip, not the external. That can be done with dns doctoring in a few different ways, and in order to tell you exactly how we need to see your current running-config of the ASA.
Best regards
Kvistofta