07-22-2013 01:38 AM - edited 03-11-2019 07:15 PM
Hello,
I'm trying to allow a DMZ host (a web proxy to be exact) to hit websites hosted in our DMZ using their public addresses (our guys don't want to have to do anything fancy with DNS ). I believe this is called ip hairpinning? I've created inside,inside NATs using the new ASA 9.1 config (see below) and everything is working fine. External hosts can browse these sites from the internet using the public address and DMZ hosts can browse these sites using either the public or private addresses.
The only problem I have is I get a bit of a scary error message when I configure the NAT. The error is suggesting (as far as I can see) that ALL traffic from the target private address is to the DMZ interface of the ASA is being directed to the source address of the web proxy. However, I may have the wrong end of the stick as far as the error message goes. Either way everything appears to be working fine. I've got this running in a test environment and have encountered no issues.
I'm just a wee bit concerned by the error and wondered whether anyone else had encountered this. I'm hoping it's just a "be careful what you're doing here" sort of error without necessarily indicating that something is wrong. Although that's not really how it reads. Also, it may be that there is a more efficient NAT that doesn't produce this error. I'd very much appreciate any help or advice.
Object statements, NAT statements and error message below...
object network WEBSITE-PRIVATE
host 10.1.1.33
object network WEBSITE-PUBLIC
host 123.123.123.123
nat (DMZ,DMZ) 15 source static any interface destination static WEBSITE-PUBLIC WEBSITE-PRIVATE unidirectional
WARNING: All traffic destined to the IP address of the DMZ interface is being redirected.
WARNING: Users may not be able to access any service enabled on the DMZ interface.
Cheers,
Tormod
Solved! Go to Solution.
07-22-2013 02:12 AM
Hi,
I would suggest trying out only a slightly different format of the command
I am not quite sure do you have only a single subnet on the "DMZ"? Something like 10.1.1.0/24?
Then you could try defining the subnet in the "nat" command. Or perhaps on the Proxy server alone.
You could also change the "source static" to "source dynamic"
object network DMZ
subnet 10.1.1.0 255.255.255.0
nat (DMZ,DMZ) 15 source dynamic DMZ interface destination static WEBSITE-PUBLIC WEBSITE-PRIVATE
Typically when we want to PAT some traffic between interfaces (though we are doing it between the same interface) and have multiple source address then we would use "dynamic" instead of "static".
I think the fact that you are using the "static" in this case is causing the ERROR messages.
Hope this helps
Please remember to mark a reply as the correct answer if it answered your question.
Feel free to ask more if needed
- Jouni
07-22-2013 02:12 AM
Hi,
I would suggest trying out only a slightly different format of the command
I am not quite sure do you have only a single subnet on the "DMZ"? Something like 10.1.1.0/24?
Then you could try defining the subnet in the "nat" command. Or perhaps on the Proxy server alone.
You could also change the "source static" to "source dynamic"
object network DMZ
subnet 10.1.1.0 255.255.255.0
nat (DMZ,DMZ) 15 source dynamic DMZ interface destination static WEBSITE-PUBLIC WEBSITE-PRIVATE
Typically when we want to PAT some traffic between interfaces (though we are doing it between the same interface) and have multiple source address then we would use "dynamic" instead of "static".
I think the fact that you are using the "static" in this case is causing the ERROR messages.
Hope this helps
Please remember to mark a reply as the correct answer if it answered your question.
Feel free to ask more if needed
- Jouni
07-22-2013 06:50 AM
Fantastic!
It works like a charm. No error messages any more. Thanks again for your help. I must be due you a beer by now.
One thing that nearly tripped me up was that I had my inside,inside NAT below the outside,inside NAT in my config. This resulted in the traffic being sent out to the internet. Something to be mindful of
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide