I just replaced a Netscreen firewall with an ASA 5515-X. Everything works, almost! The Netscreen allowed clients on the guest network to access NATed hosts on the DMZ and inside interfaces, with their Internet addresses. There was nothing special about, it just worked. I think on the ASA I need to setup a hairpin or U-turn to make this work. I have looked around and not sure I understand it, so I'm asking here.
Here's my config. No vlans on the ASA just individual interfaces.
outside #.#.#.#/28 From ISP
inside 10.0.0.0/8 internal DNS
guest 192.168.1.0/24 external DNS
dmz 192.168.2.0/24 exteranl DNS
What I would like is for any client on the guest network to act as if it was any client on the Internet. Is this doable? If so what's the best way to do it?
To enable hairpinning it is just one command:
same-security-traffic permit intra-interface
Most often this is used when you have configured subinterfaces on the ASA and traffic is entering and then leaving the same interface.
Keep in mind that the above command just enables hairpinning, you may need more configuration to get traffic to flow.
Please remember to rate and select a correct answer
So you have 4 different interfaces, no U-turn here then
You want the Guest users to access the Inside and DMZ servers by their public IP address.
All you need is
object network Real-Inside_Server
Object network Public_Inside_Server
nat (inside,guest) 1 source static Real-Inside_Server Public_Inside_Server
And of course configure an ACL on the guest interface to allow access to the 10.0.0.9 host.