Solved: Re: ASA 5505 - Hairpinning or simple ACL/NAT entry? - Page 2

Crystal Computer · ‎11-13-2012

I've attached a document showing how this network is designed. A client on a guest vlan behind the ASA, nat'd to one address on the public subnet, needs to be able to get out to the internet, and still come back in for specific services, such as OWA, via the IP which the mail server is nat'd to. The drawing is pretty explanatory. Do I simply need to create a NAT statement and ACL to allow that client out and back in, or do I need to set up hairpinning? I'm working with a Cisco ASA 5505 Version 8.4(4)3.

Note: The drawing has public IP's substituted with 1.1.1.x with final octet being accurate.

lcambron · ‎11-29-2012

Let's do this:

Try to ping the server(172.16.1.15) from the ASA to confirm is replies to ping.

if it does, then let's take a capture:

cap capadmin int admin match icmp host source_IP host 172.16.1.15

cap capguest int guest match icmp host source_IP host 1.1.1.228

Try to ping from the client

show cap capadmin

show cap capguest

Felipe.

Crystal Computer · ‎11-30-2012

I ping the outside IP address, and the response comes from the internal IP of the server. However, browsing to https://mail.customer.com/owa or https://1.1.1.228/owa still does not work. Below are the capture results, along with ping from client.

asa# cap capadmin int admin match icmp host 192.168.96.7 host 172.16.1.15

asa# cap capguest int guest match icmp host 192.168.96.7 host 1.1.1.228

asa# sh cap capadmin

4 packets captured

1: 08:52:06.882354 802.1Q vlan#1 P0 192.168.96.7 > 172.16.1.15: icmp: echo request

2: 08:52:07.878586 802.1Q vlan#1 P0 192.168.96.7 > 172.16.1.15: icmp: echo request

3: 08:52:08.878464 802.1Q vlan#1 P0 192.168.96.7 > 172.16.1.15: icmp: echo request

4: 08:52:09.878479 802.1Q vlan#1 P0 192.168.96.7 > 172.16.1.15: icmp: echo request

4 packets shown

asa# sh cap capguest

4 packets captured

1: 08:52:06.882110 802.1Q vlan#4 P0 192.168.96.7 > 1.1.1.228: icmp: echo request

2: 08:52:07.878540 802.1Q vlan#4 P0 192.168.96.7 > 1.1.1.228: icmp: echo request

3: 08:52:08.878433 802.1Q vlan#4 P0 192.168.96.7 > 1.1.1.228: icmp: echo request

4: 08:52:09.878433 802.1Q vlan#4 P0 192.168.96.7 > 1.1.1.228: icmp: echo request

4 packets shown

asa#

C:\>ping 1.1.1.228

Pinging 1.1.1.228 with 32 bytes of data:

Reply from 172.16.1.15: bytes=32 time<1ms TTL=127

Reply from 172.16.1.15: bytes=32 time=1ms TTL=127

Ping statistics for 1.1.1.228:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 1ms, Average = 0ms

C:\>

lcambron · ‎11-30-2012

So you get reply to the ping from the client but on the captures there is only request.

This looks like asymetric routing on the ASA which will break the connection, meaning the request goes thru the asa but the reply is using a different path.

Try this nat and use the packet tracer to confirm to hit this nat rule.

nat (guest,admin) 1 source dynamic any interface destination static 1.1.1.228 MailServer

Felipe

Crystal Computer · ‎12-04-2012

THAT DID IT!!!

I entered:

nat (guest,admin) 1 source dynamic any interface destination static 1.1.1.228 MailServer

I removed the previous nat entry that we had put in also. To verify, I tested this with some other services, such as below, and they work perfectly also.

nat (guest,admin) 1 source dynamic any interface destination static 1.1.1.229 TerminalServer

Thank you so much for all of your help. Very much appreciated!