Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
632
Views
0
Helpful
3
Replies

Hairpinning on ASA 5525 running 9.1(5)

kerryjcox
Level 1
Level 1

‎01-14-2015 02:21 PM - edited ‎03-11-2019 10:20 PM

I am spinning up a new VDI environment in another subnet behind our ASA 5525. There are currently three internal subnets:

inside 10.1.1.0 /24 security 100

dmz 192.168.1.0 /24 security 50

citrix 172.16.1.0 /24 security 100

I have Citrix users connecting into the 172.16.1.0 /24 subnet who then need to access items in the 10.1.1.0 /24 subnet. DNS lookups for blah.mycompany.com resolve to the outside IP for the hosts in the inside network, i.e. they try to connect to blah.mycompany.com and though they can ping the host at 10.1.1.50 from 172.16.1.100 (and reverse), the DNS query points them to 206.53.xx.50.  So, they end up trying to hairpin.

Is there an easy way to define users in the 172.16.1.0 /24 subnet to access hosts in 10.1.1.0 /24 by using mycompany.com and have it not be NAT'ed?

I have already enabled "same-security-traffic permit intra-interface". Just wondering the best way to allow users to connect directly using external DNS resolution via the firewall.

Thanks.

Labels:
0 Helpful
3 Replies 3

kerryjcox
Level 1
Level 1

‎01-14-2015 02:45 PM

I figured it out. Took a couple tries, but here's the result which now works. Users in 172.16.1.0/24 can access hosts in the inside subnet (10.1.1.0/24) by using the externally resolved DNS name or blah.mycompany,com.

Here's the line:

nat (citrix,inside) source static citrix-network citrix-network destination static web01.mycompany.com web01.local no-proxy-arp

breakdown of objects:

citrix-network = 172.16.1.0 255.255.255.0

web01.mycompany.com = 205.50.xx.50

web01.local = 10.1.1.50

Hope this helps someone.

0 Helpful

Karsten Iwen
VIP
VIP
In response to kerryjcox

‎01-14-2015 03:10 PM

Perhaps there could have been an easier way. Probably you have an object-nat like the following:

object network web01.local
 host 10.1.1.50
 nat (inside,outside) static 205.50.xx.50

This just has to be changed to

object network web01.local
 host 10.1.1.50
 nat (inside,outside) static 205.50.xx.50 dns

And the "same-security-trafic" command is not relevant here.

0 Helpful

kerryjcox
Level 1
Level 1
In response to Karsten Iwen

‎01-14-2015 03:14 PM

Karsten,

Yes, I tried your way, but it did not affect the users in the citrix subnet or 172.16.1.0/24. Had the users been in the same subnet, then it would have been relevant. I did try using the "Translate DNS replies" option, but that was no good for users in a separate subnet.

Thanks much, however. This has given much to absorb and to use elsewhere.

Kerry

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card