08-05-2016 03:32 AM - edited 03-12-2019 01:05 AM
Hi all
we have a strange problem , not sure if this is hairpinning or just the way an ASA works .( latest os)
WWW users can succesfully target the sftp server external address and hit the reverse proxy and then sftp files to the internal server. ( using nat on external and rules ) .
However when internal users target the sftp server using the external address things start going astray ,the firewall packet trace suggests that the packet does go from the internal 10.x.x.x address to the external address...( does it ever ? ).............however how does the return packet get back .......
is this hairpinning ? or something else ? do i need extra xlates in ... I have teh obvious ones in play
Diagram attached
Thanks !!
08-05-2016 04:04 AM
That's the way the ASA works. There are three ways to solve the problem:
This is also the order of options how I would prefer them.
09-05-2016 08:38 AM
I have tried a inside to outside NAT and fails still
I have tried a inside to dmz nat and also fails
nat is inside to dmz source ANY destination "external ip address" service any source - original(s) destination" real ip address of server in dmz "
or inside to outside as a test with same parameters
i have supporting rules inside to dmz and inside to outside allow ip any
still no joy !
Cannot do option 2 above - dns does resolve ok however so not dns
08-05-2016 04:04 AM
Hello,
Question: is there a reason to not point at local ip of sftp server?
//Cristian
08-05-2016 12:54 PM
yes because for some bizarre reason the setup server internally expects from the reverse proxy
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide