Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4024
Views
5
Helpful
2
Replies

inside,inside NAT on ASA 9.1

Go to solution
Tormod Macleod
Level 1
Level 1

‎07-22-2013 01:38 AM - edited ‎03-11-2019 07:15 PM

Hello,

I'm trying to allow a DMZ host (a web proxy to be exact) to hit websites hosted in our DMZ using their public addresses (our guys don't want to have to do anything fancy with DNS ). I believe this is called ip hairpinning? I've created inside,inside NATs using the new ASA 9.1 config (see below) and everything is working fine. External hosts can browse these sites from the internet using the public address and DMZ hosts can browse these sites using either the public or private addresses.

The only problem I have is I get a bit of a scary error message when I configure the NAT. The error is suggesting (as far as I can see) that ALL traffic from the target private address is to the DMZ interface of the ASA is being directed to the source address of the web proxy. However, I may have the wrong end of the stick as far as the error message goes. Either way everything appears to be working fine. I've got this running in a test environment and have encountered no issues.

I'm just a wee bit concerned by the error and wondered whether anyone else had encountered this. I'm hoping it's just a "be careful what you're doing here" sort of error without necessarily indicating that something is wrong. Although that's not really how it reads. Also, it may be that there is a more efficient NAT that doesn't produce this error. I'd very much appreciate any help or advice.

Object statements, NAT statements and error message below...

object network WEBSITE-PRIVATE

host 10.1.1.33

object network WEBSITE-PUBLIC

host 123.123.123.123

nat (DMZ,DMZ) 15 source static any interface destination static WEBSITE-PUBLIC WEBSITE-PRIVATE unidirectional

WARNING: All traffic destined to the IP address of the DMZ interface is being redirected.

WARNING: Users may not be able to access any service enabled on the DMZ interface.

Cheers,

Tormod

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎07-22-2013 02:12 AM

Hi,

I would suggest trying out only a slightly different format of the command

I am not quite sure do you have only a single subnet on the "DMZ"? Something like 10.1.1.0/24?

Then you could try defining the subnet in the "nat" command. Or perhaps on the Proxy server alone.

You could also change the "source static" to "source dynamic"

object network DMZ

subnet 10.1.1.0 255.255.255.0

nat (DMZ,DMZ) 15 source dynamic DMZ interface destination static WEBSITE-PUBLIC WEBSITE-PRIVATE

Typically when we want to PAT some traffic between interfaces (though we are doing it between the same interface) and have multiple source address then we would use "dynamic" instead of "static".

I think the fact that you are using the "static" in this case is causing the ERROR messages.

Hope this helps

Please remember to mark a reply as the correct answer if it answered your question.

Feel free to ask more if needed

- Jouni

View solution in original post

2 Replies 2

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎07-22-2013 02:12 AM

Hi,

I would suggest trying out only a slightly different format of the command

I am not quite sure do you have only a single subnet on the "DMZ"? Something like 10.1.1.0/24?

Then you could try defining the subnet in the "nat" command. Or perhaps on the Proxy server alone.

You could also change the "source static" to "source dynamic"

object network DMZ

subnet 10.1.1.0 255.255.255.0

nat (DMZ,DMZ) 15 source dynamic DMZ interface destination static WEBSITE-PUBLIC WEBSITE-PRIVATE

Typically when we want to PAT some traffic between interfaces (though we are doing it between the same interface) and have multiple source address then we would use "dynamic" instead of "static".

I think the fact that you are using the "static" in this case is causing the ERROR messages.

Hope this helps

Please remember to mark a reply as the correct answer if it answered your question.

Feel free to ask more if needed

- Jouni

Go to solution
Tormod Macleod
Level 1
Level 1
In response to Jouni Forss

‎07-22-2013 06:50 AM

Fantastic!

It works like a charm. No error messages any more. Thanks again for your help. I must be due you a beer by now.

One  thing that nearly tripped me up was that I had my inside,inside NAT  below the outside,inside NAT in my config. This resulted in the traffic  being sent out to the internet. Something to be mindful of

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card