03-02-2011 07:04 AM - edited 03-11-2019 12:59 PM
Hi.
I have a ASA 5505 in front of a server answering on https.
I have forwarded port 443 on the external interface to the internal IP of the server, which works fine from the outside.
The problem is that the clients on the inside can not access the external address of the ASA, which should be solved by hairpinning.
However, I cant get it to work.
Scenario:
ASA 5505, external interface 10.1.1.1, port 443 redirected to 192.168.142.10:443
Internal server, ip 192.168.142.10
Internal client, ip 192.168.142.11
ASA config:
object network hnk-dc1-OWA-internal
nat (inside,inside) static 10.1.1.1 service tcp https https
When running wireshard on the server I see the following when internal clients attempts to connect to 10.1.1.1:443:
16840 111.575647 192.168.142.11 192.168.142.10 TCP 51051 > https [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=8 SACK_PERM=1
16841 111.575694 192.168.142.10 192.168.142.11 TCP https > 51051 [SYN, ACK] Seq=0 Ack=1 Win=8192 Len=0 MSS=1460 SACK_PERM=1
16842 111.576055 192.168.142.11 192.168.142.10 TCP 51051 > https [ACK] Seq=1 Ack=1 Win=64240 Len=0
16843 111.576438 192.168.142.11 192.168.142.10 TLSv1 Client Hello
16847 111.577655 192.168.142.11 192.168.142.10 TCP [TCP ACKed lost segment] 51051 > https [ACK] Seq=122 Ack=4621 Win=64240 Len=0
Why the lost segment? Any ideas?
Solved! Go to Solution.
03-03-2011 06:22 AM
Something like this:
object network 192.168.142_inside
subnet 192.168.142.0 255.255.255.0
nat (inside,inside) dynamic interface
would give that a shot.. Just remember that this will nat all traffic that hairpins through the firewall from the internal network to the internal network. Also, might need the commands "same-security-traffic permit inter-interface" "same-security-traffic permit intra-interface" because your going in and out the same interface.
03-02-2011 09:31 AM
Just a thought, since the server and the user are on the same segment (192.168.142.x network). The traffic initially goes directly to the ASA then around to the server, the server then since it's on the same segment sends it directly to the user. The user then is trying to talk with 10.1.1.1 not 192.168.142.10. The server on the other hand is trying to talk to 192.168.142.11.
Make sense?? What if you source NATted the user to ensure that traffic is sent back to the firewall to provide for the proper traffic pattern.
Just a thought and I could be way off base..
03-03-2011 12:50 AM
I have had exactly the same idea, but I'm not really sure how to solve it.
Some kind of source NAT as you say, but NAT to what? The internal address of the ASA?
03-03-2011 06:22 AM
Something like this:
object network 192.168.142_inside
subnet 192.168.142.0 255.255.255.0
nat (inside,inside) dynamic interface
would give that a shot.. Just remember that this will nat all traffic that hairpins through the firewall from the internal network to the internal network. Also, might need the commands "same-security-traffic permit inter-interface" "same-security-traffic permit intra-interface" because your going in and out the same interface.
03-03-2011 11:06 AM
That actually seems to work perfectly.
Now to some tweaking, its actually just tcp/443 I want to NAT this way, but I think I can figure out a way to solve that myself.
Thanks for all your help!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide