Cisco ASA route traffic outside then back in (hairpin)

i have to route traffic to an outside ip address which is part of my public ip range, then have that traffic come back into my network with a static nat which is already set up.

i.e. inside---192.168.1.3---outside 100.100.100.1----natted to inside-----192.168.1.5
LVL 6
maxis2cuteAsked:
Who is Participating?
 
JFrederick29Connect With a Mentor Commented:
Are you connecting to 100.100.100.1 by DNS hostname?  If so, is the name resolved externally or via internal DNS servers?  If external, you can use DNS doctoring to rewrite the DNS response to the 192.168.1.5 address.  This is a better option if possible versus hairpinning as the client to server traffic stays on the LAN and the ASA never sees it.

If DNS rewrite won't work, you can hairpin the traffic.

This link covers both methods.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968d1.shtml
0
 
maxis2cuteAuthor Commented:
i read the article and tried each one and nothing.  

0
 
JFrederick29Commented:
Is the server hostname resolved externally?
0
Become an IT Security Management Expert

In today’s fast-paced, digitally transformed world of business, the need to protect network data and ensure cloud privacy has never been greater. With a B.S. in Network Operations and Security, you can get the credentials it takes to become an IT security management expert.

 
maxis2cuteAuthor Commented:
i believe so
0
 
JFrederick29Commented:
Okay, so you removed the "static" statement for the server and then added it back with the "dns" keyword at the end?

no static (inside,outside) x.x.x.x. y.y.y.y netmask 255.255.255.255
static (inside,outside) x.x.x.x. y.y.y.y netmask 255.255.255.255 dns
0
 
maxis2cuteAuthor Commented:
i had that in already, i have just tried the insid, inside nat and global  inside 1 interface, now i have to see if it works
0
 
JFrederick29Commented:
Well, with the "dns" option on the static, it will only work if you use the hostname (not the IP address).  If you ping the hostname from the inside, it should resolve to the inside IP address (not the external).
0
 
maxis2cuteAuthor Commented:
i guess i could reopen pings
0
 
JFrederick29Commented:
You don't need to open ping.  I am more interested in the DNS response.  The ping of the hostname will generate a DNS query.  If the rewrite is working properly, the hostname should resolve to the internal IP address (instead of the public IP).
0
 
maxis2cuteAuthor Commented:
its actually https://www..........
0
 
JFrederick29Commented:
Yeah, that's okay.  Have you tried a ping to the hostname from a command prompt on the inside?
0
 
maxis2cuteAuthor Commented:
i must be an idoit, the external host name is blabla/bla  i dont know how to put int the / to ping

the internal host name is different
0
 
maxis2cuteAuthor Commented:
if i do an ns lookup it gives me the external ip address and a ping to just the main domain name gives me the external ip address as well
0
 
JFrederick29Commented:
For example:

ping www.google.com
0
 
maxis2cuteAuthor Commented:
foreget it i just made a lmhost file instead
0
 
JFrederick29Commented:
Well, that is an option :)  Typically not the best if you are talking about a good number of workstations though...
0
 
maxis2cuteAuthor Commented:
thats what login scripts are for.  thanks your help is dead on , i have never got this to work. EVER

0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.