08-15-2013 02:35 PM - edited 03-11-2019 07:26 PM
I created a hairpin NAT statement on an ASA so that users can access an internal website using it's external IP address. I'm able to ping the site from the workstations without a problem, but I'm unable to pull up the site. It works fine externally. Anyone run into a similar issue? Running 8.2(5).
08-15-2013 02:55 PM
Hi,
You are most probably lacking a translation for the source address while you have the translation for the destination address.
What I mean is that the connection currently goes like this
So lets use these examples information to configure the correct translation
Default Dynamic PAT for outbound
global (outside) 1 interface
nat (inside) 1 10.10.10.0 255.255.255.0
Static NAT outbound
static (inside,outside) 1.1.1.1 10.10.10.10 netmask 255.255.255.255
Static NAT for local traffic
static (inside,inside) 1.1.1.1 10.10.10.10 netmask 255.255.255.255
So you probably have all the above things in a similiar form already on the ASA.
What you need to add is this
global (inside) 1 interface
This (together with the earlier "nat" command) will translated the users source address while connecting the server with the public IP address. Because we translate the users to ASAs "inside" interface IP address this means that ASA will see all the packets related to the connection and the connection should work.
Hope this helps
Please do remember to mark a reply as the correct answer if it answered your question.
Feel free to ask more if needed.
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide