Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 3141
  • Last Modified:

Cisco ASA route traffic outside then back in (hairpin)

i have to route traffic to an outside ip address which is part of my public ip range, then have that traffic come back into my network with a static nat which is already set up.

i.e. inside---192.168.1.3---outside 100.100.100.1----natted to inside-----192.168.1.5
0
maxis2cute
Asked:
maxis2cute
  • 9
  • 8
1 Solution
 
JFrederick29Commented:
Are you connecting to 100.100.100.1 by DNS hostname?  If so, is the name resolved externally or via internal DNS servers?  If external, you can use DNS doctoring to rewrite the DNS response to the 192.168.1.5 address.  This is a better option if possible versus hairpinning as the client to server traffic stays on the LAN and the ASA never sees it.

If DNS rewrite won't work, you can hairpin the traffic.

This link covers both methods.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968d1.shtml
0
 
maxis2cuteAuthor Commented:
i read the article and tried each one and nothing.  

0
 
JFrederick29Commented:
Is the server hostname resolved externally?
0
Identify and Prevent Potential Cyber-threats

Become the white hat who helps safeguard our interconnected world. Transform your career future by earning your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

 
maxis2cuteAuthor Commented:
i believe so
0
 
JFrederick29Commented:
Okay, so you removed the "static" statement for the server and then added it back with the "dns" keyword at the end?

no static (inside,outside) x.x.x.x. y.y.y.y netmask 255.255.255.255
static (inside,outside) x.x.x.x. y.y.y.y netmask 255.255.255.255 dns
0
 
maxis2cuteAuthor Commented:
i had that in already, i have just tried the insid, inside nat and global  inside 1 interface, now i have to see if it works
0
 
JFrederick29Commented:
Well, with the "dns" option on the static, it will only work if you use the hostname (not the IP address).  If you ping the hostname from the inside, it should resolve to the inside IP address (not the external).
0
 
maxis2cuteAuthor Commented:
i guess i could reopen pings
0
 
JFrederick29Commented:
You don't need to open ping.  I am more interested in the DNS response.  The ping of the hostname will generate a DNS query.  If the rewrite is working properly, the hostname should resolve to the internal IP address (instead of the public IP).
0
 
maxis2cuteAuthor Commented:
its actually https://www..........
0
 
JFrederick29Commented:
Yeah, that's okay.  Have you tried a ping to the hostname from a command prompt on the inside?
0
 
maxis2cuteAuthor Commented:
i must be an idoit, the external host name is blabla/bla  i dont know how to put int the / to ping

the internal host name is different
0
 
maxis2cuteAuthor Commented:
if i do an ns lookup it gives me the external ip address and a ping to just the main domain name gives me the external ip address as well
0
 
JFrederick29Commented:
For example:

ping www.google.com
0
 
maxis2cuteAuthor Commented:
foreget it i just made a lmhost file instead
0
 
JFrederick29Commented:
Well, that is an option :)  Typically not the best if you are talking about a good number of workstations though...
0
 
maxis2cuteAuthor Commented:
thats what login scripts are for.  thanks your help is dead on , i have never got this to work. EVER

0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 9
  • 8
Tackle projects and never again get stuck behind a technical roadblock.
Join Now