Website internal/external
-
@jaredbusch said in Website internal/external:
@tim_g said in Website internal/external:
I don't see why that's causing issues. Is this a problem specifically with Cisco stuff... or something extra you need to pay for that everything else "just does"?
It is not restricted to Cisco. It is also not a new thing. It has always been an issue. But in today's world, almost no one hosts public sites on internal networks, so many people have no idea what this is.
Wow, that verbiage could not be more clear compared to Cisco.
-
@scottalanmiller said in Website internal/external:
@jaredbusch said in Website internal/external:
@tim_g said in Website internal/external:
I don't see why that's causing issues. Is this a problem specifically with Cisco stuff... or something extra you need to pay for that everything else "just does"?
It is not restricted to Cisco. It is also not a new thing. It has always been an issue. But in today's world, almost no one hosts public sites on internal networks, so many people have no idea what this is.
Yeah, we used this in the 1990s, I'm pretty sure, but back then so much was hosted in house. Now it's a very rare problem to have.
There's a good chance I'll be putting this out on a VPS when their server ages out. So hopefully won't be an issue for too long. I haven't done that on Vultr yet (I'll probably have to fork this). But do you have to use a V2V converter from somewhere like 5nine or is there something Vultr might offer when that bridge is met?
-
@bbigford said in Website internal/external:
Wow, that verbiage could not be more clear compared to Cisco.
That's because one makes their money from being clear and easy as they don't certify consultants; the other makes their money from being obtuse and getting money from a support and consulting ecosystem. It's not in Cisco's interest to make things easy or clear for their customers.
-
@bbigford said in Website internal/external:
@scottalanmiller said in Website internal/external:
@jaredbusch said in Website internal/external:
@tim_g said in Website internal/external:
I don't see why that's causing issues. Is this a problem specifically with Cisco stuff... or something extra you need to pay for that everything else "just does"?
It is not restricted to Cisco. It is also not a new thing. It has always been an issue. But in today's world, almost no one hosts public sites on internal networks, so many people have no idea what this is.
Yeah, we used this in the 1990s, I'm pretty sure, but back then so much was hosted in house. Now it's a very rare problem to have.
There's a good chance I'll be putting this out on a VPS when their server ages out. So hopefully won't be an issue for too long. I haven't done that on Vultr yet (I'll probably have to fork this). But do you have to use a V2V converter from somewhere like 5nine or is there something Vultr might offer when that bridge is met?
I'm not aware of any tools for that. Not sure how you would get that image to Vultr. Rarely do you want to do something like this, though. You don't want to be deploying legacy kruft in that way. You'll want to build new wherever you are moving to.
-
@scottalanmiller said in Website internal/external:
@bbigford said in Website internal/external:
@scottalanmiller said in Website internal/external:
@jaredbusch said in Website internal/external:
@tim_g said in Website internal/external:
I don't see why that's causing issues. Is this a problem specifically with Cisco stuff... or something extra you need to pay for that everything else "just does"?
It is not restricted to Cisco. It is also not a new thing. It has always been an issue. But in today's world, almost no one hosts public sites on internal networks, so many people have no idea what this is.
Yeah, we used this in the 1990s, I'm pretty sure, but back then so much was hosted in house. Now it's a very rare problem to have.
There's a good chance I'll be putting this out on a VPS when their server ages out. So hopefully won't be an issue for too long. I haven't done that on Vultr yet (I'll probably have to fork this). But do you have to use a V2V converter from somewhere like 5nine or is there something Vultr might offer when that bridge is met?
I'm not aware of any tools for that. Not sure how you would get that image to Vultr. Rarely do you want to do something like this, though. You don't want to be deploying legacy kruft in that way. You'll want to build new wherever you are moving to.
already made a new topic for this discussion.
-
Here's what I've gotten to...
Same-security-traffic permit intra-interface has been run on the ASA.
Nat (inside,inside) source dynamic Inside_Subnet interface destination static Inside_HTTP_Public Inside_HTTP-Server
I got that from this site
I can't tell if inside_Subnet is just an object (I think it is). But if that object is an object for the inside LAN... if that's the case, why an inside interface can't be specified.
-
@bbigford said in Website internal/external:
Here's what I've gotten to...
Same-security-traffic permit intra-interface has been run on the ASA.
Nat (inside,inside) source dynamic Inside_Subnet interface destination static Inside_HTTP_Public Inside_HTTP-Server
I got that from this site
I can't tell if inside_Subnet is just an object (I think it is). But if that object is an object for the inside LAN... if that's the case, why an inside interface can't be specified.
Here's what I got to so far, with an error below... Nat (inside,inside) source dynamic NETWORK_OBJ_192.168.0.0_24 interface destination static SL-SA-PublicIP4 obj-192.168.0.23_443 SL-SA_PublicIP4 is the app's public IP, obj-192.168.0.23_443 is the internal server's address and port that the app is bound to.
Error: WARNING: Pool (application public IP listed here) overlap with existing pool.
-
@bbigford said in Website internal/external:
@bbigford said in Website internal/external:
Here's what I've gotten to...
Same-security-traffic permit intra-interface has been run on the ASA.
Nat (inside,inside) source dynamic Inside_Subnet interface destination static Inside_HTTP_Public Inside_HTTP-Server
I got that from this site
I can't tell if inside_Subnet is just an object (I think it is). But if that object is an object for the inside LAN... if that's the case, why an inside interface can't be specified.
Here's what I got to so far, with an error below... Nat (inside,inside) source dynamic NETWORK_OBJ_192.168.0.0_24 interface destination static SL-SA-PublicIP4 obj-192.168.0.23_443 SL-SA_PublicIP4 is the app's public IP, obj-192.168.0.23_443 is the internal server's address and port that the app is bound to.
Error: WARNING: Pool (application public IP listed here) overlap with existing pool.
I think that error is being generated, because of another NAT rule for (inside,outside) regarding that object. Not sure though.
-
@jaredbusch said in Website internal/external:
@tim_g said in Website internal/external:
I don't see why that's causing issues. Is this a problem specifically with Cisco stuff... or something extra you need to pay for that everything else "just does"?
It is not restricted to Cisco. It is also not a new thing. It has always been an issue. But in today's world, almost no one hosts public sites on internal networks, so many people have no idea what this is.
Oh I see, that clears it up for me.
Yeah that's why I've not experienced it... nothing I ran in to was ever publicly hosted internally. If it was, was already working. I do remember seeing "NAT loopback" before, but never heard of Hairpin.
-
@scottalanmiller said in Website internal/external:
@jaredbusch said in Website internal/external:
@tim_g said in Website internal/external:
I don't see why that's causing issues. Is this a problem specifically with Cisco stuff... or something extra you need to pay for that everything else "just does"?
It is not restricted to Cisco. It is also not a new thing. It has always been an issue. But in today's world, almost no one hosts public sites on internal networks, so many people have no idea what this is.
Yeah, we used this in the 1990s, I'm pretty sure, but back then so much was hosted in house. Now it's a very rare problem to have.
Yeah that's a decade or more before I really got in to IT... before my time.
It must have always been a default (non-adjustable) feature of home routers when I've done my port forwarding. I never had to worry about that. In enterprise, I was just never in an environment that did it like that.