Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5352
Views
0
Helpful
3
Replies

How to hairpin ASA5510 ASDM 6.4 ?

Go to solution
happyfirst
Level 1
Level 1

‎09-12-2012 11:40 AM - edited ‎03-11-2019 04:53 PM

I have several machines behind this firewall. Each machine has it's own outside static IP and i've setup a NAT for each machine to their outside IP.

Everything is working great, EXCEPT, from behind the firewall, I can't browse my own websites that I am hosting from behind the firewall.  From a command prompt, the machines can resolve the url to the correct outside IP of our web server. Our DNS is externally hosted. I just can't get a website to open from behind the firewall.  IE won't connect.

I did some logging, and I see from the firewall logs, the inside machine trying to hit the external ip.  The log shows an INTERNAL IP on a random port trying to hit the external IP of our webserver on port 80. It says success! If I use packet tracer entering the same ips and ports, it also says success. 

And yet the site won't load on the inside machine?

The client machine I am testing from behind the firewall does also have it's own natted external ip. 

I'm not a command line/scripts guy.  Looking at my ASDM Device Setup Interface GUI pagae, I see at the bottom both boxes are checked, one for enable traffic between different interfaces at the same security level, and the other enable traffic between hosts on same interface. My outside interface is security 0, my internal network interface security is 100.

What am I missing?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni

‎09-12-2012 12:06 PM

Hello Happy First,

On the static one to one translations can you add the DNS keyword so the ASA performs a DNS rewrite

Refer to the following amazing blog to get an idea of what I am talking about

http://www.techrepublic.com/blog/networking/cisco-asa-and-dns-pain-is-there-a-doctor-in-the-house/1140

Any questions.. Let me know.. Just remember to rate all of my answers

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni

‎09-12-2012 12:06 PM

Hello Happy First,

On the static one to one translations can you add the DNS keyword so the ASA performs a DNS rewrite

Refer to the following amazing blog to get an idea of what I am talking about

http://www.techrepublic.com/blog/networking/cisco-asa-and-dns-pain-is-there-a-doctor-in-the-house/1140

Any questions.. Let me know.. Just remember to rate all of my answers

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
happyfirst
Level 1
Level 1
In response to Julio Carvajal

‎09-12-2012 12:18 PM

You rock! That was an awesome article. Well written and exactly described my problem. I checked off those dns boxes for all my web server nats and now I can connect from inside our firewall.

Thank You!!!!

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to happyfirst

‎09-12-2012 12:20 PM

Hello,

That is correct, I have read a lot of articles related to the DNS doctoring keyword but that particular article is amazing.

Glad I could help my friend,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card