ā06-07-2018 12:42 PM - edited ā02-21-2020 07:51 AM
I'm trying to configure an ASA 5506 (ver. 9.8.1) to allow a device on the inside interface (smartphone connected to local network via wi-fi) to access an NVR (network video recorder) that is also on the same inside interface, however, I would like to accomplish this by using the outside interface address.
Currently I have NAT & ACL setup to allow a user that is off-site (over the internet) to connect to the NVR using the outside IP address that is nat'd to the inside address of the NVR; it is working great. My problem is when a user is on-site and connected to the wi-fi, the smartphone app (configured with the outside IP address) will not connect to the NVR on the same inside interface using the outside IP address.
Side note: The current NAT (inside, outside) rule is configured to use TCP port 8000 (port 8000 is an example, actual port is different).
Also, I have enabled same-security-traffic permit intra-interface as well as same-security-traffic permit inter-interface.
When the user is connected to the inside network via local wi-fi, and I insert the internal IP address of the NVR into the smartphone app, it obviously works. Simple enough, however, my customer does not understand networks and they expect to be able to open the smartphone app and pull up the cameras whether they are connected to the local wi-fi, or when they are halfway around the world on business. I could setup two connections in the smartphone app (local cameras & remote cameras), but I need it to pull up the cameras using only the outside IP address regardless of whether the user is connected to the inside interface orthey are connecting from the outside world thru the outside interface.
I have successfully set this up in the past on a Cisco ASA 5505 using nat (inside, inside) and it worked great. I've also heard of this being referred to as hairpin or loopback routing.
Can someone give me a configuration example of how to make this work? Thanks in advance!
ā06-08-2018 02:46 AM
Hi @TechnoMo816,
There are 2 possible solutions to your problem:
- DNS-doctoring
- U-turn (also called hairpin) NAT
Both of them should work on 9.8, but if you still can't get it to work, it would help if you could share the config.
HTH
Bogdan
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide