FWSM allow traffic in and out the same interface

[Beefcake35]

Hi,
My current setup.
I have a Cisco Router that has a def route of a FWSM. The Ethernet side of the router has 2 connections. FE0/0 to the LAN 192.168.10.0 and FE1/0 to a switch I have a dmz setup on.. call it 1.2.3.0. In the DMZ I have a web server that connected to the WAN and the web server is also on the 192.168.10.0 network.
I am able to access the web server from the public internet, but not from my internal LAN. I assume this is because by default Cisco does not allow traffic in and out the same interface.
FWSM supports the following and I tried these commands.
same-security-traffic permit intra-interface
same-security-traffic permit inter-interface
This did not work.

I am able to access my web server via LAN IP.
My DNS is public so there is no way to re-direct this traffic to the private side from the private side.

Any ideas? Am I missing something?
The above 2 are the only commands I have tried.

BTW. I am doing a nat exemption through my fwsm on the public ip of my web server.

Thanks in advance!

 

[unclerico]

Have you tried:
- Using the alias command
- DNS rewriting
- Split-brain DNS

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[Beefcake35]

No I haven't. Can you give me a bit morr info on that?

 

[unclerico]

Sure can:
DNS Doctoring:

http://cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968d1.shtml

Alias command:

http://cisco.com/en/US/docs/security/asa/asa80/command/reference/a2.html#wp1624200

Split-brain DNS (towards the bottom of the article [this is assuming the use of MS AD/DNS]):

http://msdn.microsoft.com/en-us/library/ms954396.aspx

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[Beefcake35]

The only problem with that is the internal ip of my device is for administration only.I really need to connect to the public side.

 

[Beefcake35]

Has anyone successfully used the same security traffic command? Is there something else I can try to all ow this hairpinning? Getting desperate here.

 

[unclerico]

BTW. I am doing a nat exemption through my fwsm on the public ip of my web server.

Can you post this??

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[Beefcake35]

Sure can- what would you like me to post?

 

[unclerico]

your NAT exemption rule(s)

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[Beefcake35]

here is my actual nat exempt rule. I am exempting a entire /28

access-list inside_nat0_outbound extended permit ip 216.x.x.208 255.255.255.240 any

Right now I am allowing any in bound traffic to my ip address. It is accessible from the outside but not from the internal LAN.
I have entered both commands.
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

Do I need to add a separate nat exemption for my static ip in order to get this same security command to work or something?


Thanks!!!!

 

[unclerico]

I have to ask why that is even in there?? Does your web server actually have a public IP assigned to its NIC??

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[Beefcake35]

Ya my server has a public IP and a private IP. The public side needs accessed by the public and the private lan

 

[Beefcake35]

Anyone have an idea try? Otherwise I guess I will have to get with Cisco Really want to avoid that

 

[brianinms]

Why do you have a public ip address and a private ip assigned to the server? You should merely have a private ip and nat it to the public thru the firewall.

 

[Beefcake35]

The private is only used for management of the server. That needs accessible from the entire lan.I would really like to keep the current setup, but if I need to run static Nat that's what I will do