cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6351
Views
0
Helpful
4
Replies

NAT Hairpin / DNS Rewrite

Tarran
Level 1
Level 1
ASA Version 8.4(3)

interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 8.8.8.148 255.255.255.240
!

interface Ethernet0/3
 nameif inside
 security-level 100
 ip address 192.168.200.253 255.255.255.0
!

same-security-traffic permit intra-interface

object network External-Face-IP
 host 8.8.8.158

object network Network-London
 subnet 192.168.200.0 255.255.255.0

object network External-www.domain.com
 host 8.8.8.152

object network www.domain.com
 host 192.168.200.66

access-list outside_access_in extended permit tcp any object www.domain.com eq www 

nat (outside,inside) source static any any destination static any any destination static External-www.domain.com www.domain.com

Hi All,

I'm having difficulty configuring a NAT Hairpin (I believe is called this) on my Cisco ASA 5510.

I have a website "www.domain.com"; hosted on a server on our internal network. Externally people can access the website no problem but when attempting to access it internally, the website never resolves. I believe this is because the websites is on the same external ip subnet as the external face ip and the ASA needs to realise this and redirect to the internal ip address.

Can someone please take a look at my config about and suggest what I have done wrong?

UPDATE:

I guess what I am after is this:

http://www.techrepublic.com/blog/data-center/cisco-asa-and-dns-pain-is-there-a-doctor-in-the-house/#.

BUT with up-to-date syntax as the above link syntax doesn't seem to work for me.

 

Many thanks,

Tarran

 

1 Accepted Solution

Accepted Solutions

Tormod Macleod
Level 1
Level 1

object-group network Private-Addresses
 network-object 10.0.0.0 255.0.0.0
 network-object 172.16.0.0 255.240.0.0
 network-object 192.168.0.0 255.255.0.0

nat (inside,inside) source dynamic Private-Addresses interface destination static [PUBLIC-ADDRESS-OBJECT][[PRIVATE-ADDRESS-OBJECT]

you need to create a group for private addresses and put this NAT above the NAT that services your external users. This worked for me anyway. The bit that I struggled with is that you need to change the source address to be that of the inside interface of your FW. Otherwise your webserver will return the traffic directly to the source, bypassing the firewall. The firewall will deny subsequent packets sent to the web server unless you allow tcp state bypass.

Good luck

View solution in original post

4 Replies 4

lcambron
Level 3
Level 3

Hello,

 

Here's what you need:

same-security permit intra-interface

nat (inside,inside) source static any any destination static External-www.domain.com www.domain.com

Regards,

Felipe.

 
 Remember to rate useful posts.

Hi Tarran,

Felipe presented is a perfectly acceptable solution for hairpinning throught the ASA. You mentioned an article for DNS doctoring. The correct syntax for 8.3+ is as follows using auto NAT:

object network www.domain.com
 host 192.168.200.66
 nat (inside,outside) static 8.8.8.152 dns

or using manual NAT, as you have in your config:

nat (inside,outside) source static External-www.domain.com dns

And while those are both great solutions, I have found that using split-horizon DNS is a much better solution most of the time.

With split-horizon DNS, you create a DNS zone on your internal DNS server that contains the necessary records for your public DNS zone, only using private IP addresses where necessary. 

For example, I have a domain of awesome.com. Normally, when I resolve www.awesome.com, it goes out to my public DNS server and returns 8.8.8.152. If I implement split-dns, my internal DNS server will resolve the same FQDN, but will resolve it to 192.168.200.66. 

Split-horizon DNS typically gives you a lot more control over your DNS and doesn't force you to use akward configurations on your firewall.

 

Regards,

Mike

Tormod Macleod
Level 1
Level 1

object-group network Private-Addresses
 network-object 10.0.0.0 255.0.0.0
 network-object 172.16.0.0 255.240.0.0
 network-object 192.168.0.0 255.255.0.0

nat (inside,inside) source dynamic Private-Addresses interface destination static [PUBLIC-ADDRESS-OBJECT][[PRIVATE-ADDRESS-OBJECT]

you need to create a group for private addresses and put this NAT above the NAT that services your external users. This worked for me anyway. The bit that I struggled with is that you need to change the source address to be that of the inside interface of your FW. Otherwise your webserver will return the traffic directly to the source, bypassing the firewall. The firewall will deny subsequent packets sent to the web server unless you allow tcp state bypass.

Good luck

Thank you everyone for your help. I tried everyone's manual NAT suggestions but the one that worked for me was TormodMacleod:

nat (inside,inside) source dynamic Network-London interface destination static External-www.domain.com www.domain.com

Thanks again everyone - truly appreciated.

Review Cisco Networking for a $25 gift card