?
Solved

ASA hairpin nat

Posted on 2013-06-06
1
Medium Priority
?
839 Views
Last Modified: 2013-07-10
So here's my situation. I have an ASA running 8.0.4 which can't be upgraded at the moment. This ASA has a guest network which is working fine, except that the captive portal page has a certificate error which we want to correct. The captive portal page is on the wireless controller AND is in the same subnet as the guest users. The guest users receive public DNS servers via DHCP (dictated by company security policy), and they don't have any one-to-one static mappings on the ASA nor are they available.

When this situation has come up in the past, there were usually a couple differences: the portal page was usually a virtual IP on the controller which wasn't a part of the guest network and/or there was an available static ip mapping that I could use for some DNS doctoring. However, I can't do DNS doctoring without a 1-to-1 mapping, and the captive portal is on the same subnet as the guests.

My only thought was PAT plus destination natting, but it didn't seem to work and I'm not onsite today to test it myself and do things like packet capture.

Here's what I did:
192.168.50.0/24 guest network
192.168.50.2 captive portal
1.1.1.1 public ip

Set the captive portal to use an FQDN that did resolve to the company's public IP address using public DNS servers - vpn.company.com (I do have a certificate installed in the captive portal for vpn.company.com)

From there I had a PAT and a static NAT to redirect traffic. The PAT was to change the source to get away from asymmetric routing, and the nat was to change the destination address from a public to a private.

access-list Guest_Network_nat_outbound extended permit ip 192.168.50.0 255.255.255.0 host 98.100.146.50

global (outside) 1 interface
global (Guest_Network) 20 interface

nat (Guest_Network) 0 access-list Guest_Network_nat0_outbound
nat (Guest_Network) 20 access-list Guest_Network_nat_outbound
nat (Guest_Network) 1 0.0.0.0 0.0.0.0

static (Guest_Network,Guest_Network) 98.100.146.50 192.168.50.2 netmask 255.255.255.255
0
Comment
Question by:rauenpc
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
 
LVL 17

Accepted Solution

by:
MAG03 earned 2000 total points
ID: 39232278
I am not quite sure I understand exactly what issue you are having.  first off, 98.100.146.50  is the public IP of the captive portal?  and vpn.company.com points to that IP?

So you clients on the guest network are connecting to vpn.company.com which initially sends them out to the internet for their DNS lookup.  Now the 98.100.146.50 should be NATed to the captive portal from the outside interface to the guest network interface...is that configured?  Does this work when clients are outside the Guest network?

If so then the DNS rewrite (aka DNS doctoring) would be configured on that NAT statement.  Keep in mind that DNS rewrite does not work on PAT so unless there is a static NAT sending all ports to the captive portal, this will not work.

The other option is to NAT the public IP back to the Guest network. as it seems you have already tried?  And that did not work?  Do you see anything in the logs that is denying the packet?  either ACL, Asynchronous NAT rules, etc.

Do you have control over these client machines? How many are there?  an option would be to configure static DNS entries on the machines but that would cause issues if they have to connect when out on the internet.  Unless you can create a script that removes this static mapping when they are not on that network.

If possible, could you post a full sanitized configuration of your ASA?
0

Featured Post

Ransomware Attacks Keeping You Up at Night?

Will your organization be ransomware's next victim?  The good news is that these attacks are predicable and therefore preventable. Learn more about how you can  stop a ransomware attacks before encryption takes place with our Ransomware Prevention Kit!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
Powerful tools can do wonders, but only in the right hands.  Nowhere is this more obvious than with the cloud.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question