Solved: outbound web request to internally hosted (natted server)

ajenks · ‎08-29-2013

Hi, I've got an issue with hairpining traffic on the ASA, it's a bit different to the usual VPN in/out query, not sure of the best way to approach this:

[example names/IPs used]

a)Web server hosted in dmz. External DNS resolves www.example.com to 8.8.8.10, ASA NATs 8.8.8.10 (outside) to 192.168.1.10 (DMZ)

b)Outbound web request (from internal network client) 10.0.0.1 is natted to source 8.8.8.9 (outside) - doesn't use a proxy and uses external DNS.

Web browsing to externally hosted sites works fine (as you'd expect), inbound web requests from foreign addresses works fine. When internal client browses to www.example.com, request fails.

I assume this is because the outbound request is Natted to originate from 8.8.8.9 and destined for 8.8.8.10 which is on the same interface on the ASA.

As the client is not using a proxy I cannot manipulate or redirect the request at this level.

What would be the best way to address this issue? Would I create some kind of NAT exception/configuration like :

source=10.0.0.x destination=8.8.8.10 NAT to source=10.0.0.x destination=192.168.1.10? meaning I would have multiple NAT rules (for multiple internally hosted servers) or is there a better way of doing this (given I am working with the outside interface which will include public traffic)?

Marius Gunnerud · ‎09-01-2013

So inside hosts are trying to access www.example.com using an external DNS. is the 8.8.8.10 address being fully NATed to the 192.168.1.10 address or is PAT being used (only specific ports being NATed). the reason I ask is that an option would be to use DNS doctoring but this is not supported when using PAT. this is done by adding the dns keyword at the end of the NAT statement.

What version ASA are you running?

Another option would be to NAT the 8.8.8.10 to 192.168.1.10 from the inside to the DMZ. NAT exemption will not work as that just prevents NATing from taking place. You would need to NAT traffic destined for 8.8.8.10 on the inside interface to the DMZ.

Both options are good options, but if possible I would go with the first option.

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

Marius Gunnerud · ‎09-01-2013

So inside hosts are trying to access www.example.com using an external DNS. is the 8.8.8.10 address being fully NATed to the 192.168.1.10 address or is PAT being used (only specific ports being NATed). the reason I ask is that an option would be to use DNS doctoring but this is not supported when using PAT. this is done by adding the dns keyword at the end of the NAT statement.

What version ASA are you running?

Another option would be to NAT the 8.8.8.10 to 192.168.1.10 from the inside to the DMZ. NAT exemption will not work as that just prevents NATing from taking place. You would need to NAT traffic destined for 8.8.8.10 on the inside interface to the DMZ.

Both options are good options, but if possible I would go with the first option.

--
Please remember to select a correct answer and rate helpful posts

ajenks · ‎09-02-2013

Thanks for your reponse. I am testing DNS Rewrite as a result of your suggestion. This appear to meet requirements and is preferred over your second suggestion as it does not require maintenance of additional NAT rules to control the internal redirection (in event of DNS changes).