cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1441
Views
0
Helpful
5
Replies

Hairpin Traffic on outside interface

Tony Beseau
Level 1
Level 1

Hello,

  I have an ASA 5550 operating 9.0(2). I have setup DNS servers internally for 2 different domains and have set up a static NAT from DNS server to the public IP address for each domain. I want to be able to allow traffic from one internal DNS (domain1) to make a request to the other internal DNS (domain2) but going through the ASA to the associated public IP address.

Domain 1:

Internal IP: 10.10.139.140/24

Public IP: 192.168.1.42

Domain 2:

Internal IP: 10.10.142.22/24

Public IP: 192.168.1.36

I have these configured on the ASA

nat (inside,outside) source static 10.10.139.140 192.168.1.42

nat (inside,outside) source static 10.10.139.140 192.168.1.36

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

  The packet tracer and the real-time log viewer are indicating that this should work, but the initiating server is getting a resolution timeout. Any thoughts as to what I might be missing in the config?

Thank you for any help

Tony

5 Replies 5

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

Are you saying that you want both of the DNS servers to be able to connect to eachother public NAT IP address?

If so, then to my understanding the above configurations would not be enough as they are only perfoming Static NAT towards the "outside" interface while the traffic between them would be hairpinned on the "inside" interface as you can not connect to a NAT IP address that is on a farend interface. And by that I mean that you cannot connect to a NAT IP address that is located on another interface than where your source host is.

Therefore it would seem to me that the configuration that would enable these two DNS servers to communicate with public IP address together would be this

object network DNS-DOMAIN1-LOCAL

host 10.10.139.140

object network DNS-DOMAIN2-LOCAL

host 10.10.142.22

object network DNS-DOMAIN1-PUBLIC

host 192.168.1.42

object network DNS-DOMAIN2-PUBLIC

host 192.168.1.36

nat (inside,inside) source static DNS-DOMAIN1-LOCAL DNS-DOMAIN1-PUBLIC destination static DNS-DOMAIN2-PUBLIC DNS-DOMAIN2-LOCAL

The above command should be looking for traffic coming from DNS-DOMAIN1-LOCAL towards DNS-DOMAIN2-PUBLIC and would then proceed to UN-NAT the DNS-DOMAIN2-PUBLIC to DNS-DOMAIN2-LOCAL and NAT the DNS-DOMAIN1-LOCAL to DNS-DOMAIN1-PUBLIC.

This single NAT configuration is bidirection so it should work no matter which host initiates the connection.

Hope this helps

Let me know how it goes

- Jouni