Please Read: Significant Update Planned, Migrating Forum Software This Month

See more
See less

Accessing Inbound NAT from inside Network

  • Filter
  • Time
  • Show
Clear All
new posts

  • Accessing Inbound NAT from inside Network

    I have a strange problem I hope someone might just know the answer to, before I start with TAC. I have an inbound static NAT for a web server on the inside network of a corporate office. It's a test server for a small internet startup. The outside access to the server works fine with the following:

    access-list acl_outside permit tcp any host <PUBLIC IP B> eq 8080

    static (inside,outside) tcp <PUBLIC IP B> 8080 <INTERNAL HOST> 8080 netmask

    access-group acl_outside in interface outside

    There is also a dynamic PAT for all outbound traffic on PUBLIC IP A, which is also the outside interface address.

    So, browsing to http: // PUBLIC IP:8080 works from the outside just fine, but users on the inside network get nothing when trying to browse http: // PUBLIC IP:8080

    I did a capture on both the inside and outside interfaces. You can see the S packet go through from the client IP (on the inside network), but nothing ever shows up on the outside interface, nor are there ever any acks. Additionally, there is no traffic to the INTERNAL HOST. This tells me that the client IP is never NAT'd, nor is there a sync issue (the INTERNAL HOST never sees to the request to send an ack to the client's real ip). Where is this traffic lost? Is it an ACL issue? I've tried to add an ACL to the internal interface, but it doesn't seem to matter. Anyone got any ideas?

    Thanks much.
    -Robby Morris

  • #2
    Re: Accessing Inbound NAT from inside Network

    Hi Robby.

    I think you may be dealing with a security feature that prohibits traffic (how do I word this) being routed back to the same interface it originate from.

    To get around this you may need to modify your internal DNS so it points to the internal IP address or just use the internal IP address directly.

    There may be a way to configure your router to allow that type of routing but I'll let the Cisco experts address that. But I'm sure they'll want to know what model you're using.

    Thanks for the post.

    Network Consultant/Engineer
    Baltimore - Washington area and beyond


    • #3
      Re: Accessing Inbound NAT from inside Network

      Thanks! It's an ASA 5510 - I too think it's an ACL issue, but if it's a "feature" it should be able to be modified. Thanks again,



      • #4
        Re: Accessing Inbound NAT from inside Network

        Additional Note - the desired behavior occurs just fine on most consumer level firewalls, including a cyberguard. they don't have this security "feature".


        • #5
          Re: Accessing Inbound NAT from inside Network

          I believe I found the issue. Cisco does not allow, by default, for traffic to traverse the same security interface (as mentioned earlier).

          Using same-security-traffic permit intra-interface command allows IPSec traffic (eg RA VPN users) to flow across the same interface, and according to this webpage, clear text is allowed in 7.2:

          "Software release 7.2 includes the capability to route clear text data in and out of the same interface".

          Looks like I have to upgrade! O'Joy.


          • #6
            Re: Accessing Inbound NAT from inside Network


            I have the same situation. My internal machines are natted with public ip but some of the internal machines are in different VLANs so the user dont have any choice other than accessing the site on public ip which is natted on firewall and same firewall is used as gateway to access internet traffic.

            I also tried by configuring same security traffic permit intra-interface command but that didnt help me out

            Pls guide what needs to be enabled in firewall so that the internal machines natted with public ip should be accessable on public ip.

            Thanks & Rgds,
            Feroz Khan


            • #7
              Re: Accessing Inbound NAT from inside Network

              hi robby,

              Kindly try the following,

              1. Does the client PC able to access any public websites ( e.g:

              2. Check the DNS settings in the PC

              3. Try to access the webserver with the local IP

              4. try the follwoing commands

              alias (inside) localIp publicip

              for more info plps check the below URl


              Hope this will help u.

              Thanks and Best regards



              • #8
                Re: Accessing Inbound NAT from inside Network

                Dear Prabhu,

                Thanks I hope the alias command should work for me. Let me test at the customer place.

                Thanks & Rgds,
                Feroz Khan


                • #9
                  Re: Accessing Inbound NAT from inside Network

                  Hi Feroz

                  all the best and do let us know the status.