cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3750
Views
0
Helpful
4
Replies

ASA NAT Loopback

I have a requirement to access one of our outside interface IP addresses from inside the network.

The scenario is we have teleworker devices that we provision in house before sending out. These devices cannot use a hostname but must be programmed with the IP. I would like to able to confirm these devices are working before shipping them out.

I've been attempting some kind of loopback/hair pinning NAT rules but haven't managed to get one working yet.

Any help would be greatly appreciated.

Device: ASA 5510  v8.4

4 Replies 4

Hi Bro

There's no provision for interface loopback in Cisco ASA. What you can do is, set an IP Address, Subnetmask and Default Gateway on those teleworker devices, place them on the INSIDE nameif of the Cisco ASA, and try to access devices on the OUTSIDE nameif of the Cisco ASA. You can ping the OUTSIDE IP Address from INSIDE, provided you've the management-access outside command, but this is messy.

P/S: If you think this comment is useful, please do rate them nicely :-)

Warm regards,
Ramraj Sivagnanam Sivajanam

I don't think I explained it very well.

The device the teleworkers need access to is on the inside. But I don't want to programme the teleworks with the internal IP as that obviously won't work when they are shiped out.

209.x.x157 is static NAT'd to 10.1.11.9

I need for the teleworkers to be able to reach 209.x.x.157 from the inside rather than having to use 10.1.11.9.

Hopefully that better explains it.

If that's the case, you'll need to enable Cisco DNS Doctoring in your Cisco FW. You could refer to this Cisco URL as a guide http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968d1.shtml

      

P/S: If you think this comment is useful, please do rate it nicely :-)

Warm regards,
Ramraj Sivagnanam Sivajanam

As I understand it, DNS doctoring simply hijacks the DNS request and replaces the external IP with the internal. I don't see how that is going to help considering there are no DNS requests taking place.

If I could programme the teleworker devices with a hostname I would just run split DNS and call it a day. Unfortunately I cannot.

As much as I dislike SonicWALL devices, a loopback NAT rule is a 15 second task on them. In fact most are auto generated.

Review Cisco Networking for a $25 gift card