Router NAT Hairpin or Redirect?

rsmith · ‎12-10-2012

We have a situation where we host an Image Server locally, but the Application Server that serves up the Images is at a Remote Vendor site that we access through a 2811 Router using NAT.

The Image Server has a NAT address on the Vendor DMZ network, and access to allow traffic inbound for the Images.

All our Internal clients use a PAT address on the Vendor DMZ network.

When our clients run the Application (Web HTTP) and request an Image from our Local server, it returns a "page cannot be displayed" error in the browser.

If we remove the NAT address from the URL, and put in the local Image Server IP, the images come up correctly.

I know where the issue lies, but not really how to resolve it. Since the URL contains the NAT address for the Image Server, our Clients request is routed back into the Vendors network. Our 2811 Router sees the destination as locally connected, and drops the traffic as spoofed. (I believe).

We cannot change the Application Server, or remove the NAT, since this Application is used by other remote agencies to access these Images.

What options do we have to redirect this URL to the Image Server. We do NOT have a Proxy server, and I don't believe the 2811 Router can do NAT Hairpinning...

I have attached a .jpg of the connectivity for review.

Russ

Mitchell Dyer · ‎12-11-2012

I felt obligated to respond as I'm local to your area.

Any chance of having the remote server serve up the images by referencing a DNS name rather than the "outside" IP of the 2811? The router should rewrite DNS automatically if your inside hosts are using public DNS servers. Also, you could add the A record to your internal name servers. The solution might be a combination of the two as you have to accommodate for external resources accessing the images, and I'm not sure what that looks like.

I don't see a way to solve this with NAT but DNS was the first thing that came to mind.

If this isn't feasible let me know and I'll see what else I can come up with.

-Mitch
PS- Say hello to Johnson for me!

rsmith · ‎12-11-2012

Thanks for the response. This is a private network, so no public DNS servers. I will push the vendor to see if they can reference by their Internal DNS (I believe they had issues with this for some reason). If they can fix that, we can write our own internal DNS to fix this.

I will update when I hear back from them.

(And Johnson says hello back)

will · ‎12-11-2012

hi russ, i agree that just using simple dns manipulation is the answer. you really need a feature which is available in asa only, called dns rewrite. It might be on router code now, but I doubt it. Another possible way to solve this is to run DNS server on the router itself. that may workaround client having to alter DNS. Check out this link, which discusses this in a somewhat similar thread as yours:

https://supportforums.cisco.com/thread/2003063

Will

rsmith · ‎12-12-2012

Thanks for the Reply. I don't think it is actually as easy as simple DNS rewrite, mainly due to the vendor "Issues" when they originally set this up. Because they did not get the DNS name to resolve correctly, they took the "short-cut", and they are using the NAT IP address in the URL, NOT a DNS name.

This is why I am working with them to FIX the DNS issue and start utilizing a DNS name, so that I CAN do an internal DNS record to the physical IP of the Image Server. So far, No response from them...

So, that said, is there any simple, elegant way to redirect the traffic internally, using ONLY the IP address information that is embedded in the URL?