Re: Create U-Turn/Hairpin NAT for Single IP

elpollodiablo · ‎09-07-2018

Trying to figure out how to create a U-Turn so that a web server we have on our DMZ is accessible to all hosts (whether on the inside or another host in the DMZ) via its public IP. See attached crude drawing.

We have split DNS for this particular zone, but we need to keep the A record for this particular host consistent inside and outside. Ordinarily I'd just use the DMZ address on the internal zone, but the developer for a particular piece of software we are deploying insists that doing a u-turn is the only way to ensure it works properly.

Can anyone help me out with how to create a 1:1 NAT that is accessible by the outside IP no matter where the traffic originates?

Ajay Saini · ‎09-09-2018

Hello,

This should be achievable - using following 2 things:

1. 'same-security-traffic permit intra-interface' command

2. create a NAT statement so that ASA proxy ARP for the public ip address on inside or dmz or any other interface:

For dmz users, the source and destination will be behind the same interface, so U-turning will be needed.

NAT(dmz,dmz,) source static <real ip> <mapped ip>

For users behind inside,

NAT(dmz,inside,) source static <real ip> <mapped ip>

corresponding ACL might be needed.

Please try and test it out.

Regards,

Ajay

elpollodiablo · ‎09-10-2018

Thank you. Had to tear down and move my lab, so once I'm done rebuilding it I'll give it a try.