Solved: DNS doctoring / rewrite / hairpinning not working

smithcolm · ‎10-03-2013

Hi.

i have an ASA 5510

i have an exchance owa server that gets all traffic from 1 IP on 1 interface (and then firewall allows only HTTPS)

I need this owa server to be able to access its own hosted website from its external adderss, which right now it cant.

so say from server i go to https://external.domain.com/exchange

this times out

it works ok from other computers, that do not have the ASA as they're default gateway. so the server is working and ports are forwarding correctly.

I ticked "DNS rewrite" on the static NAT rule but still not working.

any ideas?

Thanks

Jouni Forss · ‎10-03-2013

Hi,

So seems that you have a software that still uses the older NAT format since you are running 8.2 (big change from 8.3 onwards)

I am kind of wondering if this will work since usually people are asking a solution for similiar case but there the requirement is that the Internal hosts can contact the server using the public IP address.

If I were to presume the following starting information for these configurations

Interfaces named "inside" and "outside"
Public IP 1.1.1.1 Local IP 192.168.10.10
Existing Dynamic PAT configuration for the network 192.168.10.0/24 using ID 1 and PAT IP address is the "outside" interface IP address

Then the current configuration (part of it) might be this

global (outside) 1 interface

nat (inside) 1 192.168.10.0 255.255.255.0

static (inside,outside) 1.1.1.1 192.168.10.10 netmask 255.255.255.255

I would then probably try to add the following

global (inside) 1 interface

static (inside,inside) 1.1.1.1 192.168.10.10 netmask 255.255.255.255

And make sure the following setting is enabled on the ASA

same-security-traffic permit intra-interface

- Jouni

View solution in original post

Jouni Forss · ‎10-03-2013

Hi,

I am not quite why the server needs to contact itself through the public IP address? Why wont it just use the local IP address or I wonder if the 127.0.0.1 loopback would work also?

Naturally you can configure a NAT configuration to enable this to work (or try atleast) but for that I would need to know the current software version of the ASA or see the NAT configurations currently on the firewall

- Jouni

smithcolm · ‎10-03-2013

I dont know either, i'm also trying to follow up on that too!!

Cisco Adaptive Security Appliance Software Version 8.2(4)

Device Manager Version 6.2(1)

theres no real complex NAT stuff going on, the box is not the default gateway of most devices here, it just does NAT for some web servers and hosts a few vpns.

Jouni Forss · ‎10-03-2013

Hi,

So seems that you have a software that still uses the older NAT format since you are running 8.2 (big change from 8.3 onwards)

I am kind of wondering if this will work since usually people are asking a solution for similiar case but there the requirement is that the Internal hosts can contact the server using the public IP address.

If I were to presume the following starting information for these configurations

Interfaces named "inside" and "outside"
Public IP 1.1.1.1 Local IP 192.168.10.10
Existing Dynamic PAT configuration for the network 192.168.10.0/24 using ID 1 and PAT IP address is the "outside" interface IP address

Then the current configuration (part of it) might be this

global (outside) 1 interface

nat (inside) 1 192.168.10.0 255.255.255.0

static (inside,outside) 1.1.1.1 192.168.10.10 netmask 255.255.255.255

I would then probably try to add the following

global (inside) 1 interface

static (inside,inside) 1.1.1.1 192.168.10.10 netmask 255.255.255.255

And make sure the following setting is enabled on the ASA

same-security-traffic permit intra-interface

- Jouni

smithcolm · ‎10-03-2013

I am not sure if there is a requirement for this, as exchange is working..

in fact i am not going to bother even trying because i have been told we are updating exchange in the next few weeks.

thanks for your help though! :-)