Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1525
Views
0
Helpful
1
Replies

ASA 8.6 nat reflection

Tarik Admani
VIP Alumni
VIP Alumni

‎05-14-2013 08:16 PM - edited ‎03-11-2019 06:43 PM

Hi,

I have a scenario where i need to enable nat reflection or understand how I can make this work on a ASA 55x5-x for a specific design of telepresence equipment.

There is a equipment that sets inside the network, and its peer (or slave) that sits on the dmz to handle outside connections.

Basically i have to setup up a nat reflection scenario so that the inside appliance only registers to the dmz device using its public natted address and not the dmz address. I have tried to configure this using "same-security-traffic permit intra-interface", static nat for the outside interface which in turn performs an identity nat for the public addresses...

In turn I would like to hairpin this traffic on the outside interface and have it hit the dmz when sourced from the inside and vice versa.

Is this possbile on the 8.6 code? For anyone interested here is a link to the guide that explains this behavior:

http://www.cisco.com/en/US/docs/telepresence/infrastructure/vcs/config_guide/Cisco_VCS_Basic_Configuration_Control_with_Expressway_Deployment_Guide_X7-2.pdf  (page 64)

Thanks,

Tarik Admani
*Please rate helpful posts*       

1 person had this problem
Labels:
0 Helpful
1 Reply 1

Jouni Forss
VIP Alumni
VIP Alumni

‎05-17-2013 08:54 AM

Hi,

Not really exactly sure of the setup here. I mean do I understand it correctly.

On first glance it weems to me that you are just talking about NATing DMZ server to their public IP address towards BOTH the "outside" and the "inside"? That shouldnt be a problem to my understanding.

Though in the above case I mention, there is really no hairpinning of traffic involved.

Would there be any chance you could clarify the situation. Perhaps even with a small picture of the network setup along with somekind of example IP addresses?

- Jouni

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card