Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation

Who Me Too'd this topic

ASA and Hairpinning/u-turn external NAT rule for DMZ host with 9.2.4

Stephen Saunders
Level 1
Level 1

‎06-09-2015 06:31 AM - edited ‎03-11-2019 11:04 PM

Here is the issue. We used 5520's with 8.4(6) on them and were able to allow our inside hosts to hit a DMZ host using the DMZ's real IP address and the inside hosts could also hit the NAT address of those hosts. So in my example, host 10.1.1.22 could access the DMZ host of 192.168.1.33 and it's public IP of 172.33.33.33 without issues. We replaced those ASA's with a pair of 5525's with 9.2(4) and now can't access the NAT address of the DMZ host without me doing some crazy stuff or breaking access to the real IP address. So in other words, without adding a work around, our inside hosts can get to either the public IP address or the private IP address of the DMZ, you can't access both. I'll add some fictitious lines representing the config and add the log file output using those IP's. It acts like it has no idea what how to handle the NAT translation. You can easily fix it by changing the NAT rule to not use specific interfaces, however that makes the real IP address inaccessible. I would like to know if there is a fix for this or if I would have to continue to put work arounds in? 

!Sample Config below

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

object network TESTMRR1
 host 192.168.1.33

object network TESTMRR1_NAT
 host 172.33.33.33

object network DefaultDynamic
 host 172.33.33.2

object network TESTMRR1
 nat (WebDMZ, Public) static TESTMRR1_NAT

nat (Inside,Public) after-auto source dynamic any DefaultDynamic

 

!Sample Log output

Jun  9 08:51:22 asa1 Jun 09 2015 08:51:22: %ASA-6-302013: Built outbound TCP connection 42677175 for Public:172.33.33.33/80 (172.33.33.33/80) to Inside:10.1.1.22/52506 (172.33.33.2/52506)

Jun  9 08:51:52 asa1 Jun 09 2015 08:51:52: %ASA-6-302014: Teardown TCP connection 42677175 for Public:172.33.33.33/80 to Inside:10.1.1.22/52506 duration 0:00:30 bytes 0 SYN Timeout

 

 

I know how to work around the issue (there are several ways), but none of them are pretty, I would much rather have a simple object NAT like above, this used to work with 8.4(6) and now it is broken with our new 9.2(4) 5525's. Again, I can work around it with some crazy methods (I have a couple methods), but I'd prefer to not use a work around. Maybe there is a new command to allow this to happen, I've researched it for a few hours and can't find anything out there for this.

Thanks in advance

3 people had this problem
Labels:
0 Helpful
Who Me Too'd this topic