Solved: ASA 8.4 hairpinning vlan question

Arthur Johnson · ‎01-26-2016

Hi there. I am trying to give vlan subinterface access to an inside resource through outside IP. Config below:

interface Ethernet0/0
nameif outside
security-level 0
ip address 177.77.77.77 255.255.255.224
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.10.15.1 255.255.254.0
!
interface Ethernet0/1.20
description VLAN 20
vlan 20
nameif VLAN20
security-level 90
ip address 192.168.5.2 255.255.255.0

---

object network OWA
host 10.10.15.11

object network OWA-outside
host 177.77.77.78

---

nat (inside,VLAN20) source static OWA OWA-outside
nat (VLAN20,inside) source static OWA OWA-outside (tried both statements, was not sure which direction I need to NAT?)

---

same-security-traffic permit intra-interface (not sure if this is needed?)

---

access-list INCOMING extended permit tcp any object OWA eq https

access-group INCOMING in interface outside

Wanting vlan20 to be able to access OWA through the external 177.77.77.78 IP. I don't have an access-list for the VLAN interface

Thank you. I've searched and read, but just unable to get this to work, and I am sort of in a time crunch.

Philip D'Ath · ‎01-26-2016

I would use an object NAT first.

object network OWA
  nat (inside, any) static 177.77.77.78

This will make the OWA server have the same IP address on both other interfaces. Your interfaces all have different security levels, so you don't need "same-security-traffic permit intra-interface".

You need an access-list on both the inside and vlan20 interfaces to allow the traffic to the OWA server.

View solution in original post

Philip D'Ath · ‎01-27-2016

You may not need to do anything. Can VLAN20 now get to OWA on 177.77.77.78?

If not, add an inbound access-list to vlan20.

View solution in original post

Philip D'Ath · ‎01-26-2016

I would use an object NAT first.

object network OWA
  nat (inside, any) static 177.77.77.78

This will make the OWA server have the same IP address on both other interfaces. Your interfaces all have different security levels, so you don't need "same-security-traffic permit intra-interface".

You need an access-list on both the inside and vlan20 interfaces to allow the traffic to the OWA server.

Arthur Johnson · ‎01-26-2016

Thanks for the quick reply. I changed the OWA nat from (inside,inside) to (inside,any). I have an access-list for the inside interface that has been in place to permit the world to OWA, since its "any" it should cover the vlan as well, if I understand

access-list INCOMING extended permit tcp any object OWA eq https

What do I do with the VLAN access-list? Am I permitting vlan hosts access to the OWA via out interface vlan20?

access-list vlan20 extended permit tcp any object OWA eq https

access-group vlan20 out interface vlan20

Thanks again..

Philip D'Ath · ‎01-27-2016

You may not need to do anything. Can VLAN20 now get to OWA on 177.77.77.78?

If not, add an inbound access-list to vlan20.

Arthur Johnson · ‎01-27-2016

Inbound access-list made it work, I replied above. Thank you

Arthur Johnson · ‎01-27-2016

This got me going in the right direction. I read again through this: http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/115904-asa-config-dmz-00.html and added (in that specific order):

access-list VLAN20 extended permit tcp any host 10.10.15.11
access-list VLAN20 extended deny ip any object INSIDE-HOSTS
access-list VLAN20 extended permit ip any any

access-group VLAN20 in interface VLAN20

and this worked, verified by packet-tracer and end user.

Thank you