Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1726
Views
0
Helpful
5
Replies

Hairpin Traffic on outside interface

Tony Beseau
Level 1
Level 1

‎02-13-2014 07:59 AM - edited ‎03-11-2019 08:45 PM

Hello,

  I have an ASA 5550 operating 9.0(2). I have setup DNS servers internally for 2 different domains and have set up a static NAT from DNS server to the public IP address for each domain. I want to be able to allow traffic from one internal DNS (domain1) to make a request to the other internal DNS (domain2) but going through the ASA to the associated public IP address.

Domain 1:

Internal IP: 10.10.139.140/24

Public IP: 192.168.1.42

Domain 2:

Internal IP: 10.10.142.22/24

Public IP: 192.168.1.36

I have these configured on the ASA

nat (inside,outside) source static 10.10.139.140 192.168.1.42

nat (inside,outside) source static 10.10.139.140 192.168.1.36

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

  The packet tracer and the real-time log viewer are indicating that this should work, but the initiating server is getting a resolution timeout. Any thoughts as to what I might be missing in the config?

Thank you for any help

Tony

Labels:
0 Helpful
5 Replies 5

Jouni Forss
VIP Alumni
VIP Alumni

‎02-13-2014 08:21 AM

Hi,

Are you saying that you want both of the DNS servers to be able to connect to eachother public NAT IP address?

If so, then to my understanding the above configurations would not be enough as they are only perfoming Static NAT towards the "outside" interface while the traffic between them would be hairpinned on the "inside" interface as you can not connect to a NAT IP address that is on a farend interface. And by that I mean that you cannot connect to a NAT IP address that is located on another interface than where your source host is.

Therefore it would seem to me that the configuration that would enable these two DNS servers to communicate with public IP address together would be this

object network DNS-DOMAIN1-LOCAL

host 10.10.139.140

object network DNS-DOMAIN2-LOCAL

host 10.10.142.22

object network DNS-DOMAIN1-PUBLIC

host 192.168.1.42

object network DNS-DOMAIN2-PUBLIC

host 192.168.1.36

nat (inside,inside) source static DNS-DOMAIN1-LOCAL DNS-DOMAIN1-PUBLIC destination static DNS-DOMAIN2-PUBLIC DNS-DOMAIN2-LOCAL

The above command should be looking for traffic coming from DNS-DOMAIN1-LOCAL towards DNS-DOMAIN2-PUBLIC and would then proceed to UN-NAT the DNS-DOMAIN2-PUBLIC to DNS-DOMAIN2-LOCAL and NAT the DNS-DOMAIN1-LOCAL to DNS-DOMAIN1-PUBLIC.

This single NAT configuration is bidirection so it should work no matter which host initiates the connection.

Hope this helps

Let me know how it goes

- Jouni

0 Helpful

Tony Beseau
Level 1
Level 1
In response to Jouni Forss

‎02-13-2014 11:04 AM

Yes, DNS-Domain1 local is trying to resolve a host from DNS-Domain 2 using the public IP of Domain 2. I entered the commands you provided. The real time viewer shows that a connection was built but the resolution still timed out

10.10.139.140    54221    192.168.1.36    53    Built outbound UDP connection 216733264 for outside:192.168.1.36/53 (192.168.1.36/53) to inside:10.10.139.140/54221 (192.168.1.42/54221)

Any other suggesstions?

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to Tony Beseau

‎02-13-2014 11:25 AM

Hi,

If the traffic matched the above NAT configuration I mentioned you should be seeing a log message of a connection built from "inside" to "inside".

If both of your actual hosts are behind "inside" and either of them tried to connect with UDP/53 towards the other ones public IP address then the above mentioned NAT configuration should be matched.

Then again I did not use the line number 1 in the above NAT configuration to insert it at the very top but to be honest the above log messages seems like something we should not be seeing if the suggest NAT configuration was matched.

If you were to add that NAT configuration to the top it could be done by adding it with the number 1

nat (inside,inside) 1 source static DNS-DOMAIN1-LOCAL DNS-DOMAIN1-PUBLIC destination static DNS-DOMAIN2-PUBLIC DNS-DOMAIN2-LOCAL

Though it doesnt really seem to me that the NAT configurations you mentioned should interfere with this command working. Unless ofcourse there are some other NAT configurations on top of this new NAT configuration.

- Jouni

0 Helpful

Tony Beseau
Level 1
Level 1
In response to Tony Beseau

‎02-13-2014 12:16 PM

Hi,

  Thank you for your help. It still doesn't work and I never see a log message that says the connection was built insid-inside. I even made sure I inserted the new NAT rule at the beginning. Right now if I let each DNS out to the Internet (i.e. Google 8.8.8.8) they are able to get the proper name resolution. I was looking to do it more local and save the trip and bandwdith to the internet. Maybe I can revisit this some other day but for now I just need to move forward.

Thanks again,

Tony

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to Tony Beseau

‎02-14-2014 01:29 AM

Hi,

Based on the previous discussions I have had here on the forums that have related to special NAT configurations where traffic should be forwarded to different interface than the ASA by default would use I would have to say that your problem of the NAT not working most likely is because of your software level.

I personally use 8.4(5) and this has always worked for me.

I had some problems on the 9.x series software and so far the only software I can remember it working on was 9.1(1) while I had problems on the other 9.0 and 9.1 series softwares.

- Jouni

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card