?
Solved

cisco asa 5510 static nat hairpining

Posted on 2013-05-21
3
Medium Priority
?
521 Views
Last Modified: 2013-05-21
i have an ASA that on the inside has the local lan 192.168.208.0/24. In that lan i have both PC's and a server 192.168.208.6 which is assigned static nat/pat to a certain outside IP. the thing is that i can see the server from outside, and from basic hairpining i can even see it from itself by going to http://189.210.x.x/ but i cannot seem to make it work on the other LAN PC's which is quite weird. Can you help me sort it out ?

name 189.210.x.x SERVER_OUTSIDE
name 192.168.208.6 SERVER_INSIDE
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
global (Outside) 1 interface
nat (Inside) 0 access-list Inside_nat0_outbound
nat (Inside) 1 0.0.0.0 0.0.0.0
static (Inside,Outside) SERVER_OUTSIDE SERVER_INSIDE netmask 255.255.255.255
static (Inside,Inside) SERVER_OUTSIDE SERVER_INSIDE netmask 255.255.255.255
access-group Outside_access_in in interface Outside
access-group Inside_access_in in interface Inside
access-list Inside_access_in extended permit ip any any
access-list Outside_access_in extended permit tcp any host SERVER_OUTSIDE eq www

Open in new window

0
Comment
Question by:cristiansava
  • 2
3 Comments
 

Author Comment

by:cristiansava
ID: 39183593
btw i am using an older IOS : 8.2 (5)
0
 
LVL 4

Accepted Solution

by:
MarcusSjogren earned 2000 total points
ID: 39183666
Hi,

I think you need to add the following line for it to work:

global (inside) 1 interface

It will enable PAT for returning traffic.

There is another solution to this as well. Basically add the word "dns" to the NAT-command and it will use "DNS Doctoring" which will change DNS requests regarding your public IP and respond with the internal IP, a DNS-NAT one could say.
This requires that you are using an external DNS though so the DNS-requests are going through the firewall.

Command:
static (inside,outside) SERVER_OUTSIDE SERVER_INSIDE netmask 255.255.255.255 dns





Marcus
0
 

Author Comment

by:cristiansava
ID: 39183676
i will try the global inside statement. the dns doctoring i already tried out with no effect.
0

Featured Post

Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Optimal Xbox 360 connectivity requires "OPEN NAT". If you use Juniper Netscreen or SSG firewall products in a home setting, the following steps will allow you get rid of the dreaded warning screen below and achieve the best online gaming environment…
I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
In response to a need for security and privacy, and to continue fostering an environment members can turn to for support, solutions, and education, Experts Exchange has created anonymous question capabilities. This new feature is available to our Pr…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses

601 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question