Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
291
Views
0
Helpful
5
Replies

traffic between to private interfaces via NATed public interface on ASA

Go to solution
tato386
Level 6
Level 6

‎10-15-2015 08:34 AM - edited ‎03-11-2019 11:45 PM

I have an ASA with three interfaces which I will call public, internal1 and internal2.  Security levels are 0 for public, 100 for internal1 and 90 for internal2.  I have a few hosts on internal1 that have static NAT using public interface and rules to allow TCP80, 443, etc.

The internal1 machines exposed ports and services work fine from the Internet.  However, they are not reachable from machines on internal2.

Below is some IP info that might make the setup easier to understand.

Machine on internal1 interface
private IP: 192.168.1.10 NAT to public IP 1.1.1.10

Machines on internal2 interface
private IPs: 192.168.11.XX PAT to public IP 1.1.1.20

ASA Interfaces
internal1:  192.168.1.1
internal2:  192.168.11.1
public:  1.1.1.1


So the flow would be that a client on internal2 using 192.168.11.xx is PATed to 1.1.1.20 and sent out the public IP of the ASA but must then come right back into the ASA on the same interface and be allowed to access 1.1.1.10 web site which resides on the internal1 interface machine with IP 192.168.1.10.

A packet trace from the ASA confirms that this is what is happening and it confirms that the packet is allowed but yet it doesn't work.

I am open to a different configuration but the only requirement is that internal2 be treated as non-trusted network and not be allowed full access to internal1.  The unit is a 5515-X with 9.4.2.

Thanks,
Diego
 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Akshay Rastogi
Cisco Employee
Cisco Employee

‎10-15-2015 11:55 AM

Hi Diego,

From the explanation, i could understand that the host from Internal2 want to access webserver on public IP which actually resides behind internal 1.

As it is dns doctoring scenario, you could try this :

object network obj-192.168.1.10

 host 192.168.1.10

 nat (internal1,outside) static 1.1.1.10 dns

object network obj-192.168.11.0

 subnet 192.168.11.0 255.255.255.0

 nat (internal2,outside ) dynamic 1.1.1.20

 

Alternatively, you could try this with Destination nat.

You could try the below type of configuration:

nat (internal2,internal1) source dynamic <object for 192.168.11.x > interface destination static <object-1.1.1.10> <object-192.168.1.10>

access-list test permit ip any any

access-group test in interface internal2

You could go through the link below :

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/72273-dns-doctoring-3zones.html#anc12

 

Regards,

Akshay Rastogi

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Akshay Rastogi
Cisco Employee
Cisco Employee

‎10-15-2015 11:55 AM

Hi Diego,

From the explanation, i could understand that the host from Internal2 want to access webserver on public IP which actually resides behind internal 1.

As it is dns doctoring scenario, you could try this :

object network obj-192.168.1.10

 host 192.168.1.10

 nat (internal1,outside) static 1.1.1.10 dns

object network obj-192.168.11.0

 subnet 192.168.11.0 255.255.255.0

 nat (internal2,outside ) dynamic 1.1.1.20

 

Alternatively, you could try this with Destination nat.

You could try the below type of configuration:

nat (internal2,internal1) source dynamic <object for 192.168.11.x > interface destination static <object-1.1.1.10> <object-192.168.1.10>

access-list test permit ip any any

access-group test in interface internal2

You could go through the link below :

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/72273-dns-doctoring-3zones.html#anc12

 

Regards,

Akshay Rastogi

0 Helpful

Go to solution
tato386
Level 6
Level 6
In response to Akshay Rastogi

‎10-15-2015 12:19 PM

Hello Akshay,

The DNS doctoring idea is interesting but I am not sure it will work in my scenario.  It seems like you want the internal2 machines to get the private IP of the server when they query DNS.  However they use a public DNS server so DNS queries will be between int_outside and internal2.  If I turn on DNS doctoring it seems like it will only apply for DNS crossing between int_outside and internal1, no?

Rgds,

Diego

0 Helpful

Go to solution
Akshay Rastogi
Cisco Employee
Cisco Employee
In response to tato386

‎10-15-2015 12:48 PM

Hi Diego,

Yes. DNS query will be between Internal2 and Outside.  For DNS query, Internal1 Interface will not come into picture. The whole point behind enabling DNS doctoring is that when a reply DNS packet for Internal2's DNS query, ASA changes the A-Record of DNS(changes it to private) as per the nat statement and the traffic would be able to reach website internally.

 

Regards,

Akshay Rastogi
 

0 Helpful

Go to solution
tato386
Level 6
Level 6
In response to Akshay Rastogi

‎10-15-2015 12:52 PM

OK, I will give it a shot and let you know.

Thanks

0 Helpful

Go to solution
tato386
Level 6
Level 6
In response to tato386

‎10-16-2015 02:03 PM

Akshay,

I was finally able to get this to work.  It took three changes:

1) DNS doctoring as per your recommendation to get internal2 machines to see the private ip of internal1 machines

2) Identity NAT for internal1 private subnet to internal2 private subnet

3) Change the implicit rule on internal1 and internal2 interfaces to be allow any

 

Thank you very much for your help.

Rgds.

Diego

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card