Solved

ASA 5505 hairpinning

Posted on 2009-04-09
2
483 Views
Last Modified: 2012-05-06
Hi,

I previously had the following network arrangement (IP addresses changed to RFC 1918 for privacy purposes).

An outside network of 192.168.1.0/24 (This is actually public-space in the actual rea-life scenario)
An inside network of  10.0.0.0/24 (This is RFC 1918 space in the real life-scenario)
An Asa 5505 sitting between the two.


A monitoring device with ip 192.168.1.10 monitoring an inside device with IP 10.0.0.10 with SNMP via a static one to one NAT and appropriate ACLs on the ASA.


The configuration has recently changed in that there is now a site to site VPN from the ASA to a remote site (supplied via a DSL line) with an IP range of 10.0.1.0/24. The site to site VPN matches 10.0.0.0/24 to 10.0.1.0/24 and vice versa.
The device with the original IP of 10.0.0.10 has moved to the remote site and now has a IP of 10.0.1.10.
This device is reachable from the 10.0.0.0/24 network directly over the VPN.

What i need to get working is the monitoring. Monitoring traffic will still be sourced at 192.168.1.10 but cannot be allowed to access the target device (10.0.1.0) via the DSL's WAN connection and as  a result the traffic needs to go over the exisitng site to site.
A static one to one NAT is still requried as the 192.168.1.10 machine is actually public IP in real life.
IS this possible?

Cheers,
Phil.
0
Comment
Question by:PhilMacavity
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 8

Accepted Solution

by:
Nothing_Changed earned 250 total points
ID: 24115382
Yes, this should work on your ASA by adding this command:

same-security-traffic permit intra-interface
0
 
LVL 1

Author Closing Comment

by:PhilMacavity
ID: 31568460
Additional NAT commands were requried n order to get the correct functionality.
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

When it comes to security, there are always trade-offs between security and convenience/ease of administration. This article examines some of the main pros and cons of using key authentication vs password authentication for hosting an SFTP server.
Many of the companies I’ve worked with have embraced cloud solutions due to their desire to “get out of the datacenter business.” The ability to achieve better security and availability, and the speed with which they are able to deploy, is far grea…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question