Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
729
Views
0
Helpful
2
Replies

Cisco ASA Hairpinning or NAT?

sosborne76
Level 1
Level 1

‎06-06-2016 08:03 AM - edited ‎03-12-2019 12:51 AM

I have a NAT problem which has been really bugging me. The issue itself relates to Skype for Business. There is client wireless traffic (mobile client software) coming to the inside interface of the ASA that is destined for the public IP address of a Skype Reverse Proxy server that actually sits off of the DMZ interface. This traffic needs to be turned about in the ASA so that instead of going external it is redirected to the IP address of the Proxy server in the DMZ network. Now hairpinning is said to be a way of achieving this in discussions relating to Skype for Business but given the destination is off of the DMZ interface and not on a internal network I don't know how useful this would be.

I was hoping someone would have an idea how to make this happen. Here are some of the IP addresses involved:

Internal wireless networks - 10.0.230.0/24 & 10.1.2.0/23

Proxy server - 192.168.15.100 (DMZ subnet address), 198.50.70.123 (Public address)

To summarise: Traffic from 10.0.230.0/24 & 10.1.2.0/23 is destined for 198.50.70.123 but needs to be redirected to the 192.168.15.100 address the Proxy server has on the DMZ network. There probably also needs to be a corresponding NAT rule so that the return traffic can get to where its going.

A couple of caveats there is already a dynamic rule which PATs the source address to our main public address 198.50.70.249 if directed externally. Also the Cisco ASA I am working with is on version 8.2.

Labels:
0 Helpful
2 Replies 2

jpederson1
Level 1
Level 1

‎06-06-2016 01:19 PM

Have you tried to use a route map?  Specify the source interface and then the destination interface.  If it hits this you can specify the next hop ip address to go to.

0 Helpful

sosborne76
Level 1
Level 1

‎06-21-2016 06:17 AM

I have since investigated using Policy NAT to achieve this end with no success.

Firstly I tried Policy Dynamic NAT:

access-list Test permit ip 10.0.230.0 255.255.255.0 198.50.70.0 255.255.255.0

access-list Test permit ip 10.1.2.0 255.255.254.0 198.50.70.0 255.255.255.0

nat (inside) 3 access-list Test

global (dmz) 3 192.168.15.100

However this seems to be trumped by the main dynamic policy concerning outside traffic (although I think the logic is sound)

I also tried Policy Static NAT but what I am trying to achieve effectively amounts to many to one which isn't allowed by Static.

So I don't know if I can work around the Policy Dynamic NAT which is causing trouble for me. And I don't know if I should try as it will mean anything coming from inside client networks to our public network, whether erroneously or by intention, will get NAT'ed to our Skype Proxy server which doesn't seem like a desirable outcome.

Can you set precedence amongst different dynamic NAT rules?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card