11-17-2017 01:02 PM - edited 02-21-2020 06:46 AM
I’ve searched and searched and searched, and I can’t find this particular configuration discussed anywhere…
My predecessor entered this NAT into our Cisco ASA:
object network obj-10.1.0.10
nat (inside_academic,outside) static 50.201.x.x no-proxy-arp service tcp www www
This NAT allows external clients to access an internal web server. Straight-forward stuff, and it works just fine.
However, our ASA has two inside interfaces: inside_academic and inside_public. The academic network hosts the web server. In order to reach the web server from the inside_public network, a device on the inside_public network must query a public DNS server, and thus access the web server via the server’s external IP address. This creates a hairpin on the outside interface, and doesn’t work.
After much research, I came upon the notion of “DNS doctoring”, and entered this into the ASA:
nat (inside_public,outside) source static 10.1.0.10 50.201.x.x dns
This works: With this statement in place, a client on the public network correctly resolves the web server to 10.1.0.10 (I realize there’s more to this than just DNS doctoring; one step at a time). However, this statement breaks the existing NAT statement. I presume this is because the NAT table is referenced top-down, so whichever NAT is encountered first for the external IP address is the only NAT that takes effect. I was hoping the ASA would take the specified services into account when looking for a match, but that doesn’t appear to be the case.
If I can’t get both of these NAT’s to work at the same time, what else can I do to accomplish the goal? Or is there a way to get both of them working at the same time?
11-17-2017 05:32 PM
Hi @RBenke
But why inside_academic and inside_public don't talk each other via real IP address as they both inside?
They have same security level?
-If I helped you somehow, please, rate it as useful.-
11-20-2017 06:34 AM - edited 11-20-2017 06:39 AM
Inside_public doesn't have its own DNS server, it utilizes an external, public DNS server. So a device on inside_public only knows the web server's external address. That's the challenge that I'm trying to overcome.
I've found numerous articles and other references that describe how to do this when the client and the server are on the same internal ASA interface. What I can't find is any discussion of how to accomplish this when the client and server are on different internal interfaces. The problem is, I would need two NAT's for the same external address, and that doesn't work. I need a different solution.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide