ASA hairpin nat
Posted on 2013-06-06
So here's my situation. I have an ASA running 8.0.4 which can't be upgraded at the moment. This ASA has a guest network which is working fine, except that the captive portal page has a certificate error which we want to correct. The captive portal page is on the wireless controller AND is in the same subnet as the guest users. The guest users receive public DNS servers via DHCP (dictated by company security policy), and they don't have any one-to-one static mappings on the ASA nor are they available.
When this situation has come up in the past, there were usually a couple differences: the portal page was usually a virtual IP on the controller which wasn't a part of the guest network and/or there was an available static ip mapping that I could use for some DNS doctoring. However, I can't do DNS doctoring without a 1-to-1 mapping, and the captive portal is on the same subnet as the guests.
My only thought was PAT plus destination natting, but it didn't seem to work and I'm not onsite today to test it myself and do things like packet capture.
Here's what I did:
192.168.50.0/24 guest network
192.168.50.2 captive portal
188.8.131.52 public ip
Set the captive portal to use an FQDN that did resolve to the company's public IP address using public DNS servers - vpn.company.com (I do have a certificate installed in the captive portal for vpn.company.com)
From there I had a PAT and a static NAT to redirect traffic. The PAT was to change the source to get away from asymmetric routing, and the nat was to change the destination address from a public to a private.
access-list Guest_Network_nat_outbound extended permit ip 192.168.50.0 255.255.255.0 host 184.108.40.206
global (outside) 1 interface
global (Guest_Network) 20 interface
nat (Guest_Network) 0 access-list Guest_Network_nat0_outbound
nat (Guest_Network) 20 access-list Guest_Network_nat_outbound
nat (Guest_Network) 1 0.0.0.0 0.0.0.0
static (Guest_Network,Guest_Network) 220.127.116.11 192.168.50.2 netmask 255.255.255.255