cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2291
Views
5
Helpful
14
Replies

Cisco ASA 5505 hairpinning/nat issue

JohnSimons
Level 1
Level 1

Hey guys,

As a follow up to my previous question:

https://supportforums.cisco.com/message/4077187#4077187

The static nat entry there was used to rewrite DNS request to the outside interface to the internal gateway address which was then PAT-ed to the internal network

Basically I have 3 networks, inside, outside and wireless, and when a client on the wireless network tries to access the mailserver by it's external domain name it resolves to the external ip. What it should do is either resolve to the gateway adress which I can PAT to the internal network or hairpin back on the outside interface address.

I have so far tried to static translate the outside interface to the gateway address which worked, but as a side-effect caused connections directly to the webvpn on the firewall to get un-natted to the wireless network.

Is there a proper way to get this running without using a seperate dns server on the wireless network?

Thanks for reading my question and taking the time think about it!

John

3 Accepted Solutions

Accepted Solutions

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

So if I understood correctly from your previous discussion and the above information then you want to the users behind "wireless" to access your Mail server behind "inside" interface and the DNS is causing problem.

If the public DNS is returning the public IP address of the server then I would imagine you would have the possibility to Static NAT the local server to the public IP address also towards "wireless" the same way its translated towards "outside".

For example

static (inside,wireless) netmask 255.255.255.255

This would naturally mean that any connection that the hosts behind "wireless" need to form to the destination server would have to use the public IP address as the destination IP.

Also, to my understanding if you have already used DNS rewrite in the Static NAT/PAT configuration before to make the ASA change the DNS reply to point to the local IP address then this should also work for the users behind "wireless"

Let me know if this was what you were looking for and if I understood the situation/requirements correctly.

Hope this helps

- Jouni

View solution in original post

Hah

Glad you got it working

- Jouni

View solution in original post

Hi,

So if I understood correctly you are actually trying to connect to the actual ASA device with the help of this NAT?

If you are forming a connection to the actual ASA device then you will always have to use the interface IP address of the interface behind which you are currently located. You wont be able to use NAT to do translation for your actual interface IP address.

So if hosts on "wireless" connecto the ASA with VPN or just otherwise want to manage the ASA for example then you will have to use the "wireless" interface IP address for that purpose.

The Static NAT/PAT we did originally was for an actual host behind the "inside" interface of the ASA so that type of NAT is fine.

If you are trying to provide a NAT IP address for a local IP address that is actually an IP address configured on an ASA interface then that is not possible.

- Jouni

View solution in original post

14 Replies 14

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

So if I understood correctly from your previous discussion and the above information then you want to the users behind "wireless" to access your Mail server behind "inside" interface and the DNS is causing problem.

If the public DNS is returning the public IP address of the server then I would imagine you would have the possibility to Static NAT the local server to the public IP address also towards "wireless" the same way its translated towards "outside".

For example

static (inside,wireless) netmask 255.255.255.255

This would naturally mean that any connection that the hosts behind "wireless" need to form to the destination server would have to use the public IP address as the destination IP.

Also, to my understanding if you have already used DNS rewrite in the Static NAT/PAT configuration before to make the ASA change the DNS reply to point to the local IP address then this should also work for the users behind "wireless"

Let me know if this was what you were looking for and if I understood the situation/requirements correctly.

Hope this helps

- Jouni

You are a hero. I have been fucking around with this for the bigger part of this morning. I love you.

Hah

Glad you got it working

- Jouni

Hey Jouni,

If it's not too much of a hassle could you take a look at this for me?

I adapted your configuration to PAT instead of NAT, which works brilliantly for the services located on the internal server, but not so much for the webvpn running on the firewall itself.

I used this rule:

static (inside,wireless) tcp outside_ip 444 gw_inside 444 netmask 255.255.255.255

And the error I receive is:

Deny IP spoof from (192.168.x.x) to outside_ip on interface wireless

Your time and knowledge is much appreciated!

John

Hi,

What are you attempting to do with the WebVPN? I presume you mean Clientless (portal based) VPN?

- Jouni

Well both Clientless VPN and AnyConnect are accessible on that port, but I'm really only interested in accessing the AnyConnect service.

John

Hi,

So are you saying that you are running VPN on the "wireless" interface and the "wireless" users connect to that interface with VPN to gain access to your "inside" network server?

If so then I would have need to see the configurations.

- Jouni

Correct, what configurations do you need?

Static NAT (same as posted before):

static (inside,wireless) tcp outside_ip 444 gw_inside 444 netmask 255.255.255.255

Webvpn configuration:

webvpn

port 444

enable outside

enable wireless

dtls port 444

no anyconnect-essentials

svc image disk0:/anyconnect-win-2.5.2014-k9.pkg 1

svc enable

Hi,

I would like to see all the VPN related configurations to the AnyConnect the users behind "wireless" are using. Tunnel Groups, Group Policys, possible related ACLs, NAT configurations, etc

- Jouni

Hi Jouni,

The VPN service itself works perfectly fine on the outside interface. If you still need them I'll send them by PM if that's okay with you.

John

Hi,

What is the Static PAT configuration between "wireless" and "wireless" for the port TCP/444? Is this the connection you are trying that is not working?

The other Static PAT configurations are between "inside" and "wireless" which was the original aim I guess?

If this was not the problem then can you post the output of "show route" and tell me the VPN Pool IP address range/network while you are connected from the "wireless" interface with VPN.

I am not sure though why your wireless users are connecting to the ASA with VPN or are you trying to limit connections to your internal network only to some specific users behind the "wireless" interface?

- Jouni

Yes, that's the one, and yes access to the internal network is restricted to only a few users on the wireless interface.

Basically I want the wireless network to function as a seperate network with only internet access". It's usually only used by guests but every now and then I or one of my colleagues needs to access the internal network over it. The static PAT's between inside and wireless are those needed to access our SBS server as if we were connecting from the internet, those work fine. The wireless, wireless PAT is the one I hoped would allow a connection to outside_ip:444 to be picked up by the ASA itself. Basically I want the ASA to respond if I try to connect to outside_ip:444 from the wireless network.

Hope this clarifies my intentions enough.

Hi,

So if I understood correctly you are actually trying to connect to the actual ASA device with the help of this NAT?

If you are forming a connection to the actual ASA device then you will always have to use the interface IP address of the interface behind which you are currently located. You wont be able to use NAT to do translation for your actual interface IP address.

So if hosts on "wireless" connecto the ASA with VPN or just otherwise want to manage the ASA for example then you will have to use the "wireless" interface IP address for that purpose.

The Static NAT/PAT we did originally was for an actual host behind the "inside" interface of the ASA so that type of NAT is fine.

If you are trying to provide a NAT IP address for a local IP address that is actually an IP address configured on an ASA interface then that is not possible.

- Jouni

Hi Jouni,

Alright, too bad that's not possible. Thanks again for the clarification!

John

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: