07-09-2007 06:16 AM - edited 03-11-2019 03:41 AM
I have an ASA 5505 at home and I am currently staticly NATing my internal resources to the outside world successfuly. My only problem is that when I try to access my internal resources by name from the inside, they resolve to the IP of my external interface and I am unable to access them.
I know the simple solution would be to make a host file entry or modify my DNS, but I am unwilling to let the ASA beat me.
I assume I need some sort of ACL to stop NATing or some sort of NAT exemption, but am unsure of what to do. Can anyone help me?
Thanks,
07-09-2007 06:20 AM
You need either dns doctoring or hairpinning.
Here is the link which explains both. DNS doctoring will actually change the resolved ip address in the ASA to the inside address. Hairpinning will allow you to request the public address and allow you to bounce off the inside interface of the ASA.
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968d1.shtml
Please rate helpful posts.
07-09-2007 06:32 AM
Thanks! That's what I wanted!
07-09-2007 09:09 AM
Here is what I have configured and it is not working. The haripin example you sent me only shows how to do static nat not pat.
same-security-traffic permit intra-interface
access-list inbound extended permit tcp any interface outside eq ftp
access-list inbound extended permit tcp any interface outside eq www
access-list inbound extended permit tcp any interface outside eq ftp-data
access-list inbound extended permit udp any interface outside eq tftp
access-list inbound extended permit tcp any interface outside eq 3389
access-list inbound extended permit icmp any interface outside
access-list inbound extended deny tcp any interface outside eq smtp log
access-list inbound extended permit tcp any interface outside eq 6129
access-list inbound extended permit tcp any interface outside eq 5900
access-list inbound extended permit udp any interface outside eq 5900
access-list inside_nat0_outbound extended permit ip any interface outside
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool VPN-Pool 192.168.1.130-192.168.1.135 mask 255.255.255.0
ip verify reverse-path interface outside
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (inside) 1 interface
global (outside) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 3389 192.168.1.16 3389 netmask 255.255.255.255
static (inside,outside) udp interface tftp 192.168.1.16 tftp netmask 255.255.255.255
static (inside,outside) tcp interface ftp 192.168.1.16 ftp netmask 255.255.255.255
static (inside,outside) tcp interface 5900 192.168.1.16 5900 netmask 255.255.255.255
static (inside,outside) udp interface 5900 192.168.1.16 5900 netmask 255.255.255.255
static (inside,outside) tcp interface www 192.168.1.5 www netmask 255.255.255.255
static (inside,inside) tcp interface 3389 192.168.1.16 3389 netmask 255.255.255.255
static (inside,inside) udp interface tftp 192.168.1.16 tftp netmask 255.255.255.255
static (inside,inside) tcp interface ftp 192.168.1.16 ftp netmask 255.255.255.255
static (inside,inside) tcp interface 5900 192.168.1.16 5900 netmask 255.255.255.255
static (inside,inside) udp interface 5900 192.168.1.16 5900 netmask 255.255.255.255
static (inside,inside) tcp interface www 192.168.1.5 www netmask 255.255.255.255
access-group inbound in interface outside
07-09-2007 09:31 AM
Sorry, I don't think either work with pat. I've never tried to hairpin with pat but if it would work it would probably look more like this...
static (inside,inside) tcp
07-09-2007 09:46 AM
I agree, but the problem is the outside IP is dynamic and when the IP changed the whole config would too.. Sounds like a limitation on Cisco's part if you as me.
Funny how a $50.00 linksys can overcome this problem, but not an ASA...
Thanks for the advice!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide