Re: Internal access to Remote Gateway Server through outside, on same

Jesserony · ‎03-22-2023

Good Morning,

We have a newly created VLAN (4) and subnet, 10.4.10.0/24 for some less-trusted hosts. Using 8.8.8.8 for DNS.

They need to RDC to some hosts on another local VLAN (10) and subnet, 192.168.4.0/24. For added security, we would rather have those in the new subnet connect via our externally-facing Remote Desktop Gateway server.

Both subnets are on the same switch and connecting to an ASA 5508, through the same interface "Inside". Both subnets access the internet through the same interface "Outside", and the Remote Desktop Gateway server is NATTed to a static IP on the Outside interface.

Should it even be possible for this to work? Here is a diagram:

Flavio Miranda · ‎03-22-2023

Hi

If I understood your scenario this can be what they call Hairpinning.

https://www.cyrio.co.uk/tips/cisco/asa-hairpinning/

paul driver · ‎03-22-2023

Hello
@Flavio Miranda is correct is sounds like you require to hairpin the inside lan users to use the the public natted address of the file server, although you could limit access with access-lists.

Hairpin Example:
same-security-traffic permit intra-interface

object network Web_Srv_Local
host 10.4.10.100

object network Web_Srv_Public
host 1.1.1.100

nat (inside,inside) 1 source dynamic any interface destination static Web_Srv_Public Web_Srv_Local
access-list 105 extended permit tcp any host 10.4.10.100 eq www
access-group 105 in interface outside

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Internal access to Remote Gateway Server through outside, on same ASA