Hello,
We had a server on a public address and we moved it to a private IP address. The server is accessible from the world through port forwarding (over a particular public IP Address acting as a proxy/gateway) for a particular service (http, https).
The problem is that internal hosts with private IP Addresses cannot access the server through the proxy public IP Address.
This behavior could be considered expected, since Port Forwarding is aimed to serve external requests (from clients with public IP addresses).
However, this causes a problem: internal clients with private IP Addresses need to access the server through the server private IP address whereas external clients with public IP Address access the server through the proxy public IP Address.
This causes confusion to users (because sometimes they work from internal workstations and sometimes from public networks), so we need a unified access way through a single IP Address.
Our LANs are terminated on a Cisco ASA which acts as a router between them and routes traffic from/to the organization border router.
The question: is there a way to configure ASA port-forwarding so as to accept requests from private IP Addresses (on multiple interfaces/LANs/subnets) to the proxy/gateway public IP Address (on ports 80, 443) and pass-them through to the server private IP Address rather than dropping them?
If there is no way to achieve the above, I don't see any other way to find a solution than to assign a public IP Address to the server (as it was in the first place).
(Another solution would be to use a split-DNS architecture, so that internal clients use the same domain name with a different IP Address. However, this is not a feasible solution in our environment, at least in the foreseeable future.)
Someone hinted the use of hairpinning (e.g. https://community.cisco.com/t5/routing/hairpinning-or-nat-internal-to-internal-on-cisco-routers/td-p/1958800 and https://www.youtube.com/watch?v=wjEfdfI0BqY) but it seems to refer to a single interface, whereas in our case we have multiple interfaces, as well as private traffic coming from multiple remote organization site(s) reaching ASA over the outside interface (ASA is behind the border router).
Any thoughts/advice will be greatly appreciated.
Thanks,
Nick