01-14-2015 02:21 PM - edited 03-11-2019 10:20 PM
I am spinning up a new VDI environment in another subnet behind our ASA 5525. There are currently three internal subnets:
inside 10.1.1.0 /24 security 100
dmz 192.168.1.0 /24 security 50
citrix 172.16.1.0 /24 security 100
I have Citrix users connecting into the 172.16.1.0 /24 subnet who then need to access items in the 10.1.1.0 /24 subnet. DNS lookups for blah.mycompany.com resolve to the outside IP for the hosts in the inside network, i.e. they try to connect to blah.mycompany.com and though they can ping the host at 10.1.1.50 from 172.16.1.100 (and reverse), the DNS query points them to 206.53.xx.50. So, they end up trying to hairpin.
Is there an easy way to define users in the 172.16.1.0 /24 subnet to access hosts in 10.1.1.0 /24 by using mycompany.com and have it not be NAT'ed?
I have already enabled "same-security-traffic permit intra-interface". Just wondering the best way to allow users to connect directly using external DNS resolution via the firewall.
Thanks.
01-14-2015 02:45 PM
I figured it out. Took a couple tries, but here's the result which now works. Users in 172.16.1.0/24 can access hosts in the inside subnet (10.1.1.0/24) by using the externally resolved DNS name or blah.mycompany,com.
Here's the line:
nat (citrix,inside) source static citrix-network citrix-network destination static web01.mycompany.com web01.local no-proxy-arp
breakdown of objects:
citrix-network = 172.16.1.0 255.255.255.0
web01.mycompany.com = 205.50.xx.50
web01.local = 10.1.1.50
Hope this helps someone.
01-14-2015 03:10 PM
Perhaps there could have been an easier way. Probably you have an object-nat like the following:
object network web01.local host 10.1.1.50 nat (inside,outside) static 205.50.xx.50
This just has to be changed to
object network web01.local host 10.1.1.50 nat (inside,outside) static 205.50.xx.50 dns
And the "same-security-trafic" command is not relevant here.
01-14-2015 03:14 PM
Karsten,
Yes, I tried your way, but it did not affect the users in the citrix subnet or 172.16.1.0/24. Had the users been in the same subnet, then it would have been relevant. I did try using the "Translate DNS replies" option, but that was no good for users in a separate subnet.
Thanks much, however. This has given much to absorb and to use elsewhere.
Kerry
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide