cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3488
Views
0
Helpful
2
Replies

Create U-Turn/Hairpin NAT for Single IP

elpollodiablo
Level 1
Level 1

Trying to figure out how to create a U-Turn so that a web server we have on our DMZ is accessible to all hosts (whether on the inside or another host in the DMZ) via its public IP.  See attached crude drawing.

 

We have split DNS for this particular zone, but we need to keep the A record for this particular host consistent inside and outside.  Ordinarily I'd just use the DMZ address on the internal zone, but the developer for a particular piece of software we are deploying insists that doing a u-turn is the only way to ensure it works properly.

 

Can anyone help me out with how to create a 1:1 NAT that is accessible by the outside IP no matter where the traffic originates?

2 Replies 2

Ajay Saini
Level 7
Level 7

Hello,

 

This should be achievable - using following 2 things:

 

1. 'same-security-traffic permit intra-interface' command

2. create a NAT statement so that ASA proxy ARP for the public ip address on inside or dmz or any other interface:

For dmz users, the source and destination will be behind the same interface, so U-turning will be needed.

NAT(dmz,dmz,) source static <real ip> <mapped ip>

 

For users behind inside, 

NAT(dmz,inside,) source static <real ip> <mapped ip>

corresponding ACL might be needed.

 

Please try and test it out.

 

Regards,

Ajay

Thank you.  Had to tear down and move my lab, so once I'm done rebuilding it I'll give it a try.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: