0

I have a PIX running 8.0(3).

I've got a port-forward to permit external users to hit a server on my inside network set up as so:

static (inside,outside) tcp interface 8080 192.168.168.100 8080 netmask 255.255.255.255
access-list ACLIN extended permit tcp any host xx.xx.xx.135 eq 8080

...and this works for external users. But people on the inside network can't hit http://xx.xx.xx.135:8080, what ACL do I have to add to permit this?

David Mackintosh
  • 14,293
  • 7
  • 49
  • 78
  • I believe that's called hairpinning or tromboning - why don't you just have your internal users hit 192.168.168.100:8080 ? – mfinni Apr 04 '13 at 16:36
  • My question exactly. I think their web application is one of those which wants to write all incoming requests into an authoritative URL, so in order for links to work identically for inside and outside users, the inside users have to be able to hit the trombone. (I like that word.) – David Mackintosh Apr 04 '13 at 17:06
  • So, if they hit it by sitename, and the internal DNS was resolving to the correct name, it would work correctly, right? – mfinni Apr 04 '13 at 17:07
  • If it was in DNS, which it isn't, for equally stupid reasons. – David Mackintosh Apr 04 '13 at 17:07
  • If the internal users are accessing the resource via a URL then why not add the domain to your DNS servers so they will return the internal IP of your server for internal users? – GerryEgan Apr 04 '13 at 17:08
  • Sorry, I wasn't clear. This has not been done because it is not possible, for stupid reasons. The URL being returned is based on the ip address of the external interface. – David Mackintosh Apr 04 '13 at 18:05
  • Are your internal users on the same subnet as the xx.xx.xx.135? Meaning, do they even go through the firewall to get there? If they do go through the firewall then you need to assign ACLIN to your inside interface as well. – Alex Apr 04 '13 at 18:07
  • I tried this: `access-list ACLOUT extended permit tcp any host xx.xx.xx.135 eq 8080` but it doesn't seem to work. ACLOUT is the acl attached to the inside interface. – David Mackintosh Apr 04 '13 at 19:59

1 Answers1

2

To access an inside host from an externally facing NAT IP address adds a number of issues.

First, the PIX/ASA has to be configured to allow this type of communication. Generally it does not by default.

Second, it can lead to a number of asymmetrical routing issues. For instance, NAT traversal does not change the source IP address on an incoming packet. So what can happen is that H1 (internal host) makes request to ES1 (external server IP/port). On the firewall, NAT changes the destination from ES1 to IS1 (internal server IP/port) and forwards the traffic. IS1 processes the request, sees that H1 is on the local network and forwards it there. H1 rejects the connection because it established a connection to ES1 and expecting traffic from ES1 on that port, not IS1.

Do a web search for "Cisco ASA hairpin" and you should find a number of discussions about working around these issues on the Cisco site, plus a large number of non-Cisco related references. For instance: https://supportforums.cisco.com/thread/1003238

YLearn
  • 1,247
  • 7
  • 17