Solved

Cisco ASA hairpin for guest network

Posted on 2013-12-20
6
716 Views
Last Modified: 2014-01-13
I just replaced a Netscreen firewall with an ASA 5515-X.  Everything works, almost!  The Netscreen allowed clients on the guest network to access NATed hosts on the DMZ and inside interfaces, with their Internet addresses. There was nothing special about, it just worked. I think on the ASA I need to setup a hairpin or U-turn to make this work.  I have looked around and not sure I understand it, so I'm asking here.
 
Here's my config.  No vlans on the ASA just individual interfaces.
 
outside  #.#.#.#/28              From ISP
inside   10.0.0.0/8                internal DNS
guest    192.168.1.0/24        external DNS
dmz      192.168.2.0/24        exteranl DNS
 
What I would like is for any client on the guest network to act as if it was any client on the Internet.  Is this doable? If so what's the best way to do it?
 
Thanks...Jim
0
Comment
Question by:JimNowotny
  • 4
6 Comments
 

Author Comment

by:JimNowotny
Comment Utility
This is version 9.1
0
 
LVL 13

Expert Comment

by:Quori
Comment Utility
This is possible and is source NAT, but it'll appear to come from the IP address of the ASA interface, and you'll lose a lot of information useful to auditing. Is this really what you want? Its not great from a security point of view.

If so, are the interfaces (DMZ and Guest) the same security level?
0
 

Author Comment

by:JimNowotny
Comment Utility
They are not, but can be. Right now the the DMZ is 50 and Guest is 25.
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 28

Expert Comment

by:Jan Springer
Comment Utility
A couple of things:

1) Don't change the security level, they're different for good reason
2) Do nat exemption between the guest and dmz networks
3) Create an access-list for guest network (in) allowing traffic to the dmz for only those services to specific IPs that need to be reached by guests.
0
 

Accepted Solution

by:
JimNowotny earned 0 total points
Comment Utility
I've done I lot of looking around and it seems doing what I want to do is not recommended by Cisco.  Seems crazy to me.  So I'm just going to use a different firewall all together for the guest network.

This question can be marked closed.
0
 

Author Closing Comment

by:JimNowotny
Comment Utility
No good answer
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Overview The Cisco PIX 501, PIX 506e, ASA 5505 and ASA 5510 (most if not all of this information will be relevant to the PIX 515e but I do not have a working configuration handy to verify the validity) are primarily used within small to medium busi…
From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
This video discusses moving either the default database or any database to a new volume.
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now