Greetings,
I am scratching my head over the following problem;
Client has an ASA5550 with 1 public ip address + gateway. Client also ordered a /28 public subnet from the provider. This /28 (let's say 6.6.6.64/28) is routed to the ASA.
Configuration:
ASA5550 with SSM, ASA 9.1(4), ASDM 7.4(2)
outside: g1/1.128 (provider uses vlans, don't ask me why), let's say 5.5.5.77/24 with 5.5.5.1 as the gateway.
inside: g1/1, 192.168.1.1/24
Only those interfaces are up since they are connected to other devices.
Challenge: I need to set up nat rules using ip's from the public /28 subnet to inside hosts, for example I need to nat 6.6.6.67 to 192.168.1.6 for RDP.
Actions so far:
I created:
- dmz interface on g1/1.99 (6.6.6.78/28), I used g1/1 since this interface is up. Security level 50.
- network object TESTSRV with static one-to-one nat for 192.168.1.6, translated address 6.6.6.67, source if=inside, dest if=dmz
- network object IP-6.6.6.67 with host 6.6.6.67
- access rule: dmz incoming, source: HOST_OUTSIDE, dest: TESTSRV
- access rule: outside incoming, source: HOST_OUTSIDE, dest: IP-6.6.6.67
Both access rules are triggered. Packet traces show that everything is fine and allowed. TCP connection from HOST_OUTSIDE to TESTSRV is build, but nothing happens after that.
I consider this to be hairpinning on the DMZ interface, but am confused as how to proceed.
Any thoughts greatly appreciated.