Solved

cisco asa 5510 static nat hairpining

Posted on 2013-05-21
3
496 Views
Last Modified: 2013-05-21
i have an ASA that on the inside has the local lan 192.168.208.0/24. In that lan i have both PC's and a server 192.168.208.6 which is assigned static nat/pat to a certain outside IP. the thing is that i can see the server from outside, and from basic hairpining i can even see it from itself by going to http://189.210.x.x/ but i cannot seem to make it work on the other LAN PC's which is quite weird. Can you help me sort it out ?

name 189.210.x.x SERVER_OUTSIDE
name 192.168.208.6 SERVER_INSIDE
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
global (Outside) 1 interface
nat (Inside) 0 access-list Inside_nat0_outbound
nat (Inside) 1 0.0.0.0 0.0.0.0
static (Inside,Outside) SERVER_OUTSIDE SERVER_INSIDE netmask 255.255.255.255
static (Inside,Inside) SERVER_OUTSIDE SERVER_INSIDE netmask 255.255.255.255
access-group Outside_access_in in interface Outside
access-group Inside_access_in in interface Inside
access-list Inside_access_in extended permit ip any any
access-list Outside_access_in extended permit tcp any host SERVER_OUTSIDE eq www

Open in new window

0
Comment
Question by:cristiansava
  • 2
3 Comments
 

Author Comment

by:cristiansava
ID: 39183593
btw i am using an older IOS : 8.2 (5)
0
 
LVL 4

Accepted Solution

by:
MarcusSjogren earned 500 total points
ID: 39183666
Hi,

I think you need to add the following line for it to work:

global (inside) 1 interface

It will enable PAT for returning traffic.

There is another solution to this as well. Basically add the word "dns" to the NAT-command and it will use "DNS Doctoring" which will change DNS requests regarding your public IP and respond with the internal IP, a DNS-NAT one could say.
This requires that you are using an external DNS though so the DNS-requests are going through the firewall.

Command:
static (inside,outside) SERVER_OUTSIDE SERVER_INSIDE netmask 255.255.255.255 dns





Marcus
0
 

Author Comment

by:cristiansava
ID: 39183676
i will try the global inside statement. the dns doctoring i already tried out with no effect.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Cisco ASA Restarted Suddenly 11 86
What ports to open for KMS on an L7 Application based firewall? 1 83
firewall inside of network 9 76
ASA 5506-X 7 83
Imagine you have a shopping list of items you need to get at the grocery store. You have two options: A. Take one trip to the grocery store and get everything you need for the week, or B. Take multiple trips, buying an item at a time, to achieve t…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
This Micro Tutorial will give you a basic overview how to record your screen with Microsoft Expression Encoder. This program is still free and open for the public to download. This will be demonstrated using Microsoft Expression Encoder 4.
Although Jacob Bernoulli (1654-1705) has been credited as the creator of "Binomial Distribution Table", Gottfried Leibniz (1646-1716) did his dissertation on the subject in 1666; Leibniz you may recall is the co-inventor of "Calculus" and beat Isaac…

815 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

7 Experts available now in Live!

Get 1:1 Help Now