topic I figured it out. Took a in Network Security

Hairpinning on ASA 5525 running 9.1(5)

kerryjcox — Tue, 12 Mar 2019 05:20:45 GMT

I am spinning up a new VDI environment in another subnet behind our ASA 5525. There are currently three internal subnets:

inside 10.1.1.0 /24 security 100

dmz 192.168.1.0 /24 security 50

citrix 172.16.1.0 /24 security 100

I have Citrix users connecting into the 172.16.1.0 /24 subnet who then need to access items in the 10.1.1.0 /24 subnet. DNS lookups for blah.mycompany.com resolve to the outside IP for the hosts in the inside network, i.e. they try to connect to blah.mycompany.com and though they can ping the host at 10.1.1.50 from 172.16.1.100 (and reverse), the DNS query points them to 206.53.xx.50. So, they end up trying to hairpin.

Is there an easy way to define users in the 172.16.1.0 /24 subnet to access hosts in 10.1.1.0 /24 by using mycompany.com and have it not be NAT'ed?

I have already enabled "same-security-traffic permit intra-interface". Just wondering the best way to allow users to connect directly using external DNS resolution via the firewall.

Thanks.

I figured it out. Took a

kerryjcox — Wed, 14 Jan 2015 22:45:18 GMT

I figured it out. Took a couple tries, but here's the result which now works. Users in 172.16.1.0/24 can access hosts in the inside subnet (10.1.1.0/24) by using the externally resolved DNS name or blah.mycompany,com.

Here's the line:

nat (citrix,inside) source static citrix-network citrix-network destination static web01.mycompany.com web01.local no-proxy-arp

breakdown of objects:

citrix-network = 172.16.1.0 255.255.255.0

web01.mycompany.com = 205.50.xx.50

web01.local = 10.1.1.50

Hope this helps someone.

Perhaps there could have been

Karsten Iwen — Wed, 14 Jan 2015 23:10:46 GMT

Perhaps there could have been an easier way. Probably you have an object-nat like the following:

object network web01.local
 host 10.1.1.50
 nat (inside,outside) static 205.50.xx.50

This just has to be changed to

object network web01.local
 host 10.1.1.50
 nat (inside,outside) static 205.50.xx.50 dns

And the "same-security-trafic" command is not relevant here.

Karsten,Yes, I tried your way

kerryjcox — Wed, 14 Jan 2015 23:14:07 GMT

Karsten,

Yes, I tried your way, but it did not affect the users in the citrix subnet or 172.16.1.0/24. Had the users been in the same subnet, then it would have been relevant. I did try using the "Translate DNS replies" option, but that was no good for users in a separate subnet.

Thanks much, however. This has given much to absorb and to use elsewhere.

Kerry