I am spinning up a new VDI environment in another subnet behind our ASA 5525. There are currently three internal subnets: inside 10.1.1.0 /24 security 100 dmz 192.168.1.0 /24 security 50 citrix 172.16.1.0 /24 security 100 I have Citrix users connecting into the 172.16.1.0 /24 subnet who then need to access items in the 10.1.1.0 /24 subnet. DNS lookups for blah.mycompany.com resolve to the outside IP for the hosts in the inside network, i.e. they try to connect to blah.mycompany.com and though they can ping the host at 10.1.1.50 from 172.16.1.100 (and reverse), the DNS query points them to 206.53.xx.50.  So, they end up trying to hairpin. Is there an easy way to define users in the 172.16.1.0 /24 subnet to access hosts in 10.1.1.0 /24 by using mycompany.com and have it not be NAT'ed? I have already enabled "same-security-traffic permit intra-interface". Just wondering the best way to allow users to connect directly using external DNS resolution via the firewall. Thanks. ... View more

So, I have been presented with an interesting challenge. I would prefer using an internal Linux host to solve this, but my manager is convinced the ASA can do this. Hope this is the correct group. This is a NAT and routing question. We have two VPN tunnels. One goes to Company X and connects to our internal network. Let's call the internal network 10.10.5.0 /24. That internal network can connect over the VPN tunnel to Company X, allowing only a single IP address in a /30 subnet on the inside of Company X that we can connect to (10.109.1.253). The kicker is that Company X will only allow a single VPN tunnel from our company. The 2nd tunnel is coming from our Cloud provider (Company Y) and also connects internally and can reach IP addresses on the 10.10.5.0 /24 subnet. Question is, can I set up a NAT on the ASA 5510 (9.1 ( 3)) to allow translation from hosts coming from Company Y over their tunnel, say subnet 10.120.136.0 /24 to hit an internal IP here, say 10.10.5.145 and have that NAT to a destination IP on the Company X site or to the 10.109.1.253? Or should I simply route requests coming from Company Y (10.120.136.0 /24 ) to the /30 subnet at Company X (10.109.1.253 /30) using a NAT'ed internal IP address, say 10.10.5.145? Or would the best solution simply have users in 10.120.136.0 (Company Y) hit a Linux box at 10.10.5.145 (our internal network), and the ip  forward all requests to 10.109.1.253 (the pingable  host at Company X)? Thoughts? ... View more