Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
589
Views
5
Helpful
4
Replies

NAT in a stange way through an ASA5510

ruliffilur
Level 1
Level 1

‎10-05-2010 06:30 AM - edited ‎03-11-2019 11:50 AM

Hello

I wonder is a traffic flow like this even possible interface inside -> outside -> dmz -> outside -> inside

The case is like this: We have a guest network that only can access the internet and we got a few servers on a dmz network (inside the firewall) that we would like to be reachable from the guest network.

I know Cisco´s concept is that traffic coming in to an interface cannot exit on the same interface. But is there a way to get around that?

//Johan

Labels:
0 Helpful
4 Replies 4

Jon Marshall
Hall of Fame
Hall of Fame

‎10-05-2010 07:10 AM 

ruliffilur wrote:
Hello
I wonder is a traffic flow like this even possible interface inside -> outside -> dmz -> outside -> inside
The case is like this: We have a guest network that only can access the internet and we got a few servers on a dmz network (inside the firewall) that we would like to be reachable from the guest network.
I know Cisco´s concept is that traffic coming in to an interface cannot exit on the same interface. But is there a way to get around that?
//Johan

Johan

That restriction of not exiting on the same interface has been lifted. If you have v8.x of the code then you can use what is called "hairpinning" to allow traffic back out the same interface. From memory hairpinning is also available on 7.x code but only for IPSEC traffic.

However why do you need this. If the guest network is on the inside why not just allow them through to the DMZ rather than trying to force them via the outside interface ?

Jon

0 Helpful

Panos Kampanakis
Cisco Employee
Cisco Employee
In response to Jon Marshall

‎10-05-2010 08:13 AM

To add to Jon's suggestions, you can go from inside to outside and then have the next L3 hop send back to outside and then the ASA sending through the DMZ.

In other words you can have a L3 hop send back traffic that exited an interface through the same interface. the ASA will then route it based on its rules as whole new flow.. It is not very common, but routing can make it work and some customers with specific requirements already do it.

I hope it helps.

PK

ruliffilur
Level 1
Level 1
In response to Panos Kampanakis

‎10-06-2010 05:46 AM

thank you guys this was a very interesting and helpful information

//Johan

0 Helpful

Panos Kampanakis
Cisco Employee
Cisco Employee
In response to ruliffilur

‎10-06-2010 05:56 AM

Glad we could help!

PK

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card