topic ASA NAT Loopback in Network Security

ASA NAT Loopback

CompuVision Admin — Mon, 11 Mar 2019 23:44:42 GMT

I have a requirement to access one of our outside interface IP addresses from inside the network.

The scenario is we have teleworker devices that we provision in house before sending out. These devices cannot use a hostname but must be programmed with the IP. I would like to able to confirm these devices are working before shipping them out.

I've been attempting some kind of loopback/hair pinning NAT rules but haven't managed to get one working yet.

Any help would be greatly appreciated.

Device: ASA 5510 v8.4

ASA NAT Loopback

Ramraj Sivagnanam Sivajanam — Wed, 22 Aug 2012 04:03:47 GMT

Hi Bro

There's no provision for interface loopback in Cisco ASA. What you can do is, set an IP Address, Subnetmask and Default Gateway on those teleworker devices, place them on the INSIDE nameif of the Cisco ASA, and try to access devices on the OUTSIDE nameif of the Cisco ASA. You can ping the OUTSIDE IP Address from INSIDE, provided you've the management-access outside command, but this is messy.

P/S: If you think this comment is useful, please do rate them nicely 🙂

ASA NAT Loopback

CompuVision Admin — Wed, 22 Aug 2012 14:35:49 GMT

I don't think I explained it very well.

The device the teleworkers need access to is on the inside. But I don't want to programme the teleworks with the internal IP as that obviously won't work when they are shiped out.

209.x.x157 is static NAT'd to 10.1.11.9

I need for the teleworkers to be able to reach 209.x.x.157 from the inside rather than having to use 10.1.11.9.

Hopefully that better explains it.

Re: ASA NAT Loopback

Ramraj Sivagnanam Sivajanam — Wed, 22 Aug 2012 18:25:23 GMT

If that's the case, you'll need to enable Cisco DNS Doctoring in your Cisco FW. You could refer to this Cisco URL as a guide http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968d1.shtml

P/S: If you think this comment is useful, please do rate it nicely 🙂

Re: ASA NAT Loopback

CompuVision Admin — Wed, 22 Aug 2012 23:16:58 GMT

As I understand it, DNS doctoring simply hijacks the DNS request and replaces the external IP with the internal. I don't see how that is going to help considering there are no DNS requests taking place.

If I could programme the teleworker devices with a hostname I would just run split DNS and call it a day. Unfortunately I cannot.

As much as I dislike SonicWALL devices, a loopback NAT rule is a 15 second task on them. In fact most are auto generated.