You are not going to get a

Jim Kerr · ‎02-05-2016

Hi All

I have a server on our internal network that has very limited access from the internet. Therefore it has an external address that is NAT'd at our firewall.

However I want to arrange to access the server from our LAN also using its external address rather than its internal address.

From what I've read so far it seems that I could direct traffic bound for the external address to go via my inside firewall interface and then do a NAT hairpin to NAT it to its internal address and back out the same inside interface.

However lots of the explanations refer to using DNS. In my case we are not using dns and simply using the external address.

Please can someone confirm to me how this can be done using a Cisco ASA 5550 and if there are any issues to be aware of.

thanks

Philip D'Ath · ‎02-05-2016

The easy solution - put the server on a separate interface. You can then use object NAT to nat the server to an external address on both the outside and inside interface.

Jim Kerr · ‎02-06-2016

thanks Philip

For one reason and another the server needs to stay on our LAN and therefore will need to stay off the inside interface.

If I route traffic from inside our LAN destined to the external address of the server which is subsequently routed to the Inside interface on the FW and I NAT to the External and internal address of the server on the Inside FW interface and then route the traffic back out of the same interface (ie the inside interface on the FW) do I need to look at split horizon and how its dealt with on the FW ?

Also if you can, I'd be grateful of an example of the configuration for both the UTurn / Hairpin NAT.

ASA 8.4

thanks

Philip D'Ath · ‎02-06-2016

You are not going to get a config that achieve what you want with your currently topology. It wont work.