topic outbound web request to internally hosted (natted server) in Network Security

outbound web request to internally hosted (natted server)

ajenks — Tue, 12 Mar 2019 02:32:09 GMT

Hi, I've got an issue with hairpining traffic on the ASA, it's a bit different to the usual VPN in/out query, not sure of the best way to approach this:

[example names/IPs used]

a)Web server hosted in dmz. External DNS resolves www.example.com to 8.8.8.10, ASA NATs 8.8.8.10 (outside) to 192.168.1.10 (DMZ)

b)Outbound web request (from internal network client) 10.0.0.1 is natted to source 8.8.8.9 (outside) - doesn't use a proxy and uses external DNS.

Web browsing to externally hosted sites works fine (as you'd expect), inbound web requests from foreign addresses works fine. When internal client browses to www.example.com, request fails.

I assume this is because the outbound request is Natted to originate from 8.8.8.9 and destined for 8.8.8.10 which is on the same interface on the ASA.

As the client is not using a proxy I cannot manipulate or redirect the request at this level.

What would be the best way to address this issue? Would I create some kind of NAT exception/configuration like :

source=10.0.0.x destination=8.8.8.10 NAT to source=10.0.0.x destination=192.168.1.10? meaning I would have multiple NAT rules (for multiple internally hosted servers) or is there a better way of doing this (given I am working with the outside interface which will include public traffic)?

outweb web request to internally hosted (natted server)

Marius Gunnerud — Sun, 01 Sep 2013 20:29:22 GMT

So inside hosts are trying to access www.example.com using an external DNS. is the 8.8.8.10 address being fully NATed to the 192.168.1.10 address or is PAT being used (only specific ports being NATed). the reason I ask is that an option would be to use DNS doctoring but this is not supported when using PAT. this is done by adding the dns keyword at the end of the NAT statement.

What version ASA are you running?

Another option would be to NAT the 8.8.8.10 to 192.168.1.10 from the inside to the DMZ. NAT exemption will not work as that just prevents NATing from taking place. You would need to NAT traffic destined for 8.8.8.10 on the inside interface to the DMZ.

Both options are good options, but if possible I would go with the first option.

outbound web request to internally hosted (natted server)

ajenks — Mon, 02 Sep 2013 16:35:52 GMT

Thanks for your reponse. I am testing DNS Rewrite as a result of your suggestion. This appear to meet requirements and is preferred over your second suggestion as it does not require maintenance of additional NAT rules to control the internal redirection (in event of DNS changes).