cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
98
Views
0
Helpful
0
Replies
Beginner

Unified port forwarding for public and private IP Addresses

Hello,


We had a server on a public address and we moved it to a private IP address. The server is accessible from the world through port forwarding (over a particular public IP Address acting as a proxy/gateway) for a particular service (http, https).


The problem is that internal hosts with private IP Addresses cannot access the server through the proxy public IP Address.


This behavior could be considered expected, since Port Forwarding is aimed to serve external requests (from clients with public IP addresses).


However, this causes a problem: internal clients with private IP Addresses need to access the server through the server private IP address whereas external clients with public IP Address access the server through the proxy public IP Address.


This causes confusion to users (because sometimes they work from internal workstations and sometimes from public networks), so we need a unified access way through a single IP Address.

 

Our LANs are terminated on a Cisco ASA which acts as a router between them and routes traffic from/to the organization border router.


The question: is there a way to configure ASA port-forwarding so as to accept requests from private IP Addresses (on multiple interfaces/LANs/subnets) to the proxy/gateway public IP Address (on ports 80, 443) and pass-them through to the server private IP Address rather than dropping them?


If there is no way to achieve the above, I don't see any other way to find a solution than to assign a public IP Address to the server (as it was in the first place).


(Another solution would be to use a split-DNS architecture, so that internal clients use the same domain name with a different IP Address. However, this is not a feasible solution in our environment, at least in the foreseeable future.)

 

Someone hinted the use of hairpinning (e.g. https://community.cisco.com/t5/routing/hairpinning-or-nat-internal-to-internal-on-cisco-routers/td-p/1958800 and https://www.youtube.com/watch?v=wjEfdfI0BqY) but it seems to refer to a single interface, whereas in our case we have multiple interfaces, as well as private traffic coming from multiple remote organization site(s) reaching ASA over the outside interface (ASA is behind the border router).


Any thoughts/advice will be greatly appreciated.

Thanks,
Nick

Jagadeesh Tammera, a Content Engineer for Cisco specializing in Security/VPN domain, explains how hair-pinning works on Cisco ASA and some of its real-time implementations. For more information on this topic please visit: ...
CreatePlease to create content
Content for Community-Ad
July's Community Spotlight Awards