08-18-2020 12:38 PM
Hi,
I am using ASA version 9.13 and have a scenario to allow communication where traffic has to go in and out through same interface.
Example(taking random ips)
We have a private range 172.16.1.0/24 behind firewall, where 172.16.1.2 is web server ip and 172.16.1.3 is proxy server ip.
ASA firewall outside interface as ip - 28.1.1.1/24
Now web server ip - 172.16.1.2 has a destination static nat with ip 28.1.1.2
and proxy server ip - 172.16.1.3 has been source dynamic pat with ASA outside interface ip - 28.1.1.1
Now we have already allowed access to web server ip - 172.16.1.2 over internet, and proxy server is also allowed to access any ip over internet and any user from internet when tries to access web server with public ip - 28.1.1.2 is able to access on 443
but proxy server is not able to access the web server using public ip - 28.1.1.2
We want our proxy server to access the web server over internet and not directly using private source and destination ip.
I aware the U-Turn traffic flow/Hair pinning concept will apply here, but I am not sure the exact configuration that can be applied here and need help on that.
Thanks.
08-18-2020 07:56 PM
08-18-2020 09:40 PM
Thanks Francesco for your answer.
-> I still have few queries, in order to make this kind of communication happen is this the recommended way in production environment or there are alternatives ?
-> Also if I do that natting to Proxy_Internal ip then will that have any impact on the existing source dyanmic pat for that ip ?
-> If I allow intra zone traffic then will that make our environment vulnerable with any attach or such so ?
08-19-2020 06:21 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide