03-20-2014 08:59 AM - edited 03-11-2019 08:58 PM
ASA Version 8.4(3) interface Ethernet0/0 nameif outside security-level 0 ip address 8.8.8.148 255.255.255.240 ! interface Ethernet0/3 nameif inside security-level 100 ip address 192.168.200.253 255.255.255.0 ! same-security-traffic permit intra-interface object network External-Face-IP host 8.8.8.158 object network Network-London subnet 192.168.200.0 255.255.255.0 object network External-www.domain.com host 8.8.8.152 object network www.domain.com host 192.168.200.66 access-list outside_access_in extended permit tcp any object www.domain.com eq www nat (outside,inside) source static any any destination static any any destination static External-www.domain.com www.domain.com
Hi All,
I'm having difficulty configuring a NAT Hairpin (I believe is called this) on my Cisco ASA 5510.
I have a website "www.domain.com"; hosted on a server on our internal network. Externally people can access the website no problem but when attempting to access it internally, the website never resolves. I believe this is because the websites is on the same external ip subnet as the external face ip and the ASA needs to realise this and redirect to the internal ip address.
Can someone please take a look at my config about and suggest what I have done wrong?
UPDATE:
I guess what I am after is this:
http://www.techrepublic.com/blog/data-center/cisco-asa-and-dns-pain-is-there-a-doctor-in-the-house/#.
BUT with up-to-date syntax as the above link syntax doesn't seem to work for me.
Many thanks,
Tarran
Solved! Go to Solution.
03-21-2014 04:23 AM
object-group network Private-Addresses
network-object 10.0.0.0 255.0.0.0
network-object 172.16.0.0 255.240.0.0
network-object 192.168.0.0 255.255.0.0
nat (inside,inside) source dynamic Private-Addresses interface destination static [PUBLIC-ADDRESS-OBJECT][[PRIVATE-ADDRESS-OBJECT]
you need to create a group for private addresses and put this NAT above the NAT that services your external users. This worked for me anyway. The bit that I struggled with is that you need to change the source address to be that of the inside interface of your FW. Otherwise your webserver will return the traffic directly to the source, bypassing the firewall. The firewall will deny subsequent packets sent to the web server unless you allow tcp state bypass.
Good luck
03-20-2014 04:56 PM
Hello,
Here's what you need:
same-security permit intra-interface
nat (inside,inside) source static any any destination static External-www.domain.com www.domain.com
Regards,
Felipe.
Remember to rate useful posts.
03-20-2014 07:29 PM
Hi Tarran,
Felipe presented is a perfectly acceptable solution for hairpinning throught the ASA. You mentioned an article for DNS doctoring. The correct syntax for 8.3+ is as follows using auto NAT:
object network www.domain.com host 192.168.200.66 nat (inside,outside) static 8.8.8.152 dns
or using manual NAT, as you have in your config:
nat (inside,outside) source static External-www.domain.com dns
And while those are both great solutions, I have found that using split-horizon DNS is a much better solution most of the time.
With split-horizon DNS, you create a DNS zone on your internal DNS server that contains the necessary records for your public DNS zone, only using private IP addresses where necessary.
For example, I have a domain of awesome.com. Normally, when I resolve www.awesome.com, it goes out to my public DNS server and returns 8.8.8.152. If I implement split-dns, my internal DNS server will resolve the same FQDN, but will resolve it to 192.168.200.66.
Split-horizon DNS typically gives you a lot more control over your DNS and doesn't force you to use akward configurations on your firewall.
Regards,
Mike
03-21-2014 04:23 AM
object-group network Private-Addresses
network-object 10.0.0.0 255.0.0.0
network-object 172.16.0.0 255.240.0.0
network-object 192.168.0.0 255.255.0.0
nat (inside,inside) source dynamic Private-Addresses interface destination static [PUBLIC-ADDRESS-OBJECT][[PRIVATE-ADDRESS-OBJECT]
you need to create a group for private addresses and put this NAT above the NAT that services your external users. This worked for me anyway. The bit that I struggled with is that you need to change the source address to be that of the inside interface of your FW. Otherwise your webserver will return the traffic directly to the source, bypassing the firewall. The firewall will deny subsequent packets sent to the web server unless you allow tcp state bypass.
Good luck
03-24-2014 02:43 AM
Thank you everyone for your help. I tried everyone's manual NAT suggestions but the one that worked for me was TormodMacleod:
nat (inside,inside) source dynamic Network-London interface destination static External-www.domain.com www.domain.com
Thanks again everyone - truly appreciated.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide