Cisco ASA routing issue

garyoh
garyoh used Ask the Experts™
on
I have a Cisco ASA 5505 to install. My network has a server (Server A) behind the firewall with a private ip of 192.168.1.1 and it is NAT'ed to (bogus address for example only) 123.123.123.1. Sales people will use a web app in a hosted environment in another state at (again bogus IP for example) 231.231.231.9. The web app communicates with Server A to provide data to the web app. This works just fine until the web app builds a PDF report at the end of it's work and provides a button to download the PDF. The PDF button references the 123.123.123.1 location with a subdirectory. When a salesperson is outside the LAN, he is able to click the button and poof, the PDF appears, pulled from Server A. But when a salesperson is inside the LAN, the connection will time out, because it is referencing the public IP. This is a tad beyond me. Can anyone help?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Jimmy Larsson, CISSP, CEHNetwork and Security consultant

Commented:
Hello

The URL to the pdf, does it contain a hostname or an ip-address? You need to use a hostname and make sure that the inside hosts resolves the hostname to the internal ip, not the external. That can be done with dns doctoring in a few different ways, and in order to tell you exactly how we need to see your current running-config of the ASA.

Best regards
Kvistofta

Author

Commented:
The URL of the pdf is an IP address, not a hostname. What part of the sho run do you need? Would prefer to post only the necessary or I can remove the private stuff.

Author

Commented:
I should mention existing old sonicwall will do this just fine
Acronis in Gartner 2019 MQ for datacenter backup

It is an honor to be featured in Gartner 2019 Magic Quadrant for Datacenter Backup and Recovery Solutions. Gartner’s MQ sets a high standard and earning a place on their grid is a great affirmation that Acronis is delivering on our mission to protect all data, apps, and systems.

Ernie BeekSenior infrastructure engineer
Top Expert 2012

Commented:
Some hairpinning might help. An exmaple:

!--- Output suppressed.
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 192.168.0.192 255.255.255.0
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 172.16.0.1 255.255.0.0
!
!--- Output suppressed.
!
same-security-traffic permit intra-interface
access-list outside_in extended permit icmp any any
access-list outside_in extended permit tcp any any
!
!--- Output suppressed.
!
global (outside) 1 interface
global (inside) 1 interface
nat (inside) 1 172.16.0.0 255.255.0.0
static (inside,outside) 192.168.0.193 172.16.0.10 netmask 255.255.255.255
static (inside,inside) 192.168.0.193 172.16.0.10 netmask 255.255.255.255
access-group outside_in in interface outside
!
!--- Output suppressed


Source: http://ckdake.com/content/2009/hairpinning-with-a-cisco-asa.html
The ASA will not let you access an address that is on the outside interface of the firewall from the inside interface of the firewall.

I would suggest changing the application so tht it connects to a hostname and either using DNS re-write on the ASA or having an internal copy of the zone for the domain that references the internal address.

The "block" on the ASA is specifically designed to stop spoofing attacks and cannot be overridden. Sonicwall _do_ allow this type of configuration.
Commented:
I called Cisco tonight and they setup a static route to that server plus applied the appropriate acl configurations. Problem solved.
Ernie BeekSenior infrastructure engineer
Top Expert 2012

Commented:
Could you show us what they did exactly?
Just being curious here.

Author

Commented:
Cisco made this work for me.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial