12-06-2013 07:19 AM - edited 03-11-2019 08:13 PM
I can't seem to get nat hairpinning to work... Most instructions on the internet indicate how to do this with commands available prior to 8.3.
I've tried the following:
same-security-traffic permit intra-interface
asa-box(config-network-object)# object network my-inside-address-obj
asa-box(config-network-object)# nat (inside,inside) static my-outside-address-obj
which didn't work.
Then I added:
access-list hairpin_allow extended permit tcp object Internal_NAT_Range object External_NAT_Range
with
access-group hairpin_allow in interface inside
which also didn't work (trying to show due dilligence here...).
Then I tried:
nat (inside,inside) source static Internal_NAT_Range Internal_NAT_Range destination static External_NAT_Range External_NAT_Range
Still a no go.
Finally, I added:
"9. To avoid packet-drops due to the asymmetric nature of routing that's occuring internally, we need the ASA to bypass stateful inspection for this particular traffic. For this, we need to configure the following:
ASA(config)#access-list tcp_bypass extended permit tcp object Internal_NAT_Range object External_NAT_Range
!--- Configure the access list to specify the TCP traffic
!--- that needs to by-pass inspection to improve the performance.
!--- Configure the class map and specify the match parameter for the
!--- class map to match the interesting traffic.
ASA(config)#class-map tcp_bypass
ASA(config-cmap)#description "TCP traffic that bypasses stateful firewall"
ASA(config-cmap)#match access-list tcp_bypass
!--- Configure the policy map and specify the class map
!--- inside this policy map for the class map.
ASA(config-cmap)#policy-map tcp_bypass_policy
ASA(config-pmap)#class tcp_bypass
!--- Use the set connection advanced-options tcp-state-bypass
!--- command in order to enable TCP state bypass feature.
ASA(config-pmap-c)#set connection advanced-options tcp-state-bypass
!--- Use the service-policy policymap_name [ global | interface intf ]
!--- command in global configuration mode in order to activate a policy map
!--- globally on all interfaces or on a targeted interface.
ASA(config-pmap-c)#service-policy tcp_bypass_policy inside"
Again, nothing...
My config (clean/before any of the above) is as follows...
...
object network External_NAT_Range
range x.x.56.3 x.x.59.255
object network Internal_NAT_Range
range 172.17.56.3 172.17.59.255
object network InternalIPs
subnet 172.17.56.0 255.255.248.0
object network VpnIPs
subnet 172.17.63.0 255.255.255.0
object network InternalIPs_OutOnly
range 172.17.60.1 172.17.62.254
...
nat (inside,outside) source static InternalIPs InternalIPs destination static VpnIPs VpnIPs no-proxy-arp route-lookup description Un-Nats VPN IPs
nat (inside,outside) source dynamic InternalIPs_OutOnly interface description Allows remaining interior network to access the Internet
!
object network Internal_NAT_Range
nat (inside,outside) static External_NAT_Range net-to-net
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.56.1 1
...
---------------------------------
I just want to be able to access an external resource, say, http://x.x.56.5 from an internal IP, say, 172.17.56.8
I tried to use DNS doctoring. The configuration was much simpler, and worked, but when PTR requests came in from the internet, DNS Doctoring seemed to also translate the outbound responses to reflect my internal IP's which was obviously quite wrong...
Any help from you Cisco pros would be appreciated!
Thanks!
12-06-2013 01:09 PM
Hello Carlo,
That's it man.The asa shows its allowed
Do a capture on the inside interface to check the traffic flow.
Rate all of the helpful posts!!!
Regards,
Jcarvaja
Follow me on http://laguiadelnetworking.com
12-06-2013 01:13 PM
that was inside, let me try outside
crxasa# packet-tracer input inside tcp 208.x.x.12 smtp 12.x.x.35 80
12-06-2013 01:15 PM
Outside???
But aren't we supposed to be testing traffic from an inside user to a public IP address that actually belongs to an internal server???
That's what we are tshooting here.
Rate all of the helpful posts!!!
Regards,
Jcarvaja
Follow me on http://laguiadelnetworking.com
12-06-2013 01:23 PM
Sorry about that, it is inside, cause it's traffic from inside to outside
12-06-2013 01:25 PM
So, why U-turning???
My recommendation.. Open a new discussion, explain the issue, and let us know when you opent it.
Rate all of the helpful posts!!!
Regards,
Jcarvaja
Follow me on http://laguiadelnetworking.com
12-06-2013 01:33 PM
Sorry to confuse things, I do have the same issue as the OP, we can't get to an internal server that has a public IP or url. Just trying not have too many of the same threads, thanks.
12-06-2013 01:38 PM
Hello,
But traffic should not reach the outside bud (if we are talking about the same)
Rate all of the helpful posts!!!
Regards,
Jcarvaja
Follow me on http://laguiadelnetworking.com
12-06-2013 01:22 PM
Hello Carlo,
Why outside,
Explain your scenario cause then this will be a different issue than the owner of this post
Rate all of the helpful posts!!!
Regards,
Jcarvaja
Follow me on http://laguiadelnetworking.com
12-06-2013 01:34 PM
Yeah, I'm rather certain my issue is definitely inside,inside... my traffic should never need to touch the outside interface (I don't think).
I want my traffic originating from inside, a my private/internal IP, to essentially, bounce through the inside interface back (via the external ip) to a private/internal IP...
Perhaps a more thorough example:
1.) Internet IP x.x.56.7 is static net-to-net nat'd to 172.17.56.7 (an internal IP)
2.) My workstation has IP 172.17.56.18.
3.) I want to browse to http://x.x.56.7 and I want it to act AS-IF I were browsing to http://172.17.56.7
4.) I want it to work this way for my whole range of internal IP's 1:1 nat'd to my whole range of external IP's.
currently, browsing to http://x.x.56.7 hangs...
Thanks guys!
12-06-2013 01:38 PM
Hello,
Do the following
cap capin interface inside match tcp host 172.17.56.18 eq x.x.56.7 eq 80
cap asp type asp-drop all circular-buffer
then try to connect and share
show cap capin
show cap asp | include x.x.56.7
Rate all of the helpful posts!!!
Regards,
Jcarvaja
Follow me on http://laguiadelnetworking.com
12-06-2013 03:52 PM
Hi guys, it works for me now, thanks for all the tips.
12-06-2013 04:33 PM
Hello,
Sure man, just Remember to rate all of the helpful posts
Regards,
Jcarvaja
Follow me on http://laguiadelnetworking.com
12-06-2013 12:59 PM
Hi Julio, yes I have it in there
same-security-traffic permit intra-interface
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide