Link to home
Start Free TrialLog in
Avatar of maxis2cute
maxis2cute

asked on

Cisco ASA route traffic outside then back in (hairpin)

i have to route traffic to an outside ip address which is part of my public ip range, then have that traffic come back into my network with a static nat which is already set up.

i.e. inside---192.168.1.3---outside 100.100.100.1----natted to inside-----192.168.1.5
ASKER CERTIFIED SOLUTION
Avatar of JFrederick29
JFrederick29
Flag of United States of America image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of maxis2cute
maxis2cute

ASKER

i read the article and tried each one and nothing.  

Avatar of JFrederick29
JFrederick29
Flag of United States of America image
Is the server hostname resolved externally?
Avatar of maxis2cute
maxis2cute

ASKER

i believe so
Avatar of JFrederick29
JFrederick29
Flag of United States of America image
Okay, so you removed the "static" statement for the server and then added it back with the "dns" keyword at the end?

no static (inside,outside) x.x.x.x. y.y.y.y netmask 255.255.255.255
static (inside,outside) x.x.x.x. y.y.y.y netmask 255.255.255.255 dns
Avatar of maxis2cute
maxis2cute

ASKER

i had that in already, i have just tried the insid, inside nat and global  inside 1 interface, now i have to see if it works
Avatar of JFrederick29
JFrederick29
Flag of United States of America image
Well, with the "dns" option on the static, it will only work if you use the hostname (not the IP address).  If you ping the hostname from the inside, it should resolve to the inside IP address (not the external).
Avatar of maxis2cute
maxis2cute

ASKER

i guess i could reopen pings
Avatar of JFrederick29
JFrederick29
Flag of United States of America image
You don't need to open ping.  I am more interested in the DNS response.  The ping of the hostname will generate a DNS query.  If the rewrite is working properly, the hostname should resolve to the internal IP address (instead of the public IP).
Avatar of maxis2cute
maxis2cute

ASKER

its actually https://www..........
Avatar of JFrederick29
JFrederick29
Flag of United States of America image
Yeah, that's okay.  Have you tried a ping to the hostname from a command prompt on the inside?
Avatar of maxis2cute
maxis2cute

ASKER

i must be an idoit, the external host name is blabla/bla  i dont know how to put int the / to ping

the internal host name is different
Avatar of maxis2cute
maxis2cute

ASKER

if i do an ns lookup it gives me the external ip address and a ping to just the main domain name gives me the external ip address as well
Avatar of JFrederick29
JFrederick29
Flag of United States of America image
For example:

ping www.google.com
Avatar of maxis2cute
maxis2cute

ASKER

foreget it i just made a lmhost file instead
Avatar of JFrederick29
JFrederick29
Flag of United States of America image
Well, that is an option :)  Typically not the best if you are talking about a good number of workstations though...
Avatar of maxis2cute
maxis2cute

ASKER

thats what login scripts are for.  thanks your help is dead on , i have never got this to work. EVER