Cisco ASA 9.1(5) Hairpin NAT

I have a network where I have 2 active interfaces on an ASA 5500 series firewall (inside,outside).

There are 2 networks on the inside interface, 10.1.1.0/24 and 10.1.2.0/4

I have static NAT objects in place to accept outside requests for the public IP to the inside IP, all works fine.
I have a catch-all outbound PAT for the remaining IPs on the inside networks going to the Internet. Surfing works fine.

An example of one of the static NAT'd external host is:
object network server1
 host 10.1.1.20
object network server1
 nat (inside,outside) static real.ip.addr.here

What I'm having a problem with is having other inside hosts get to the inside servers via their public IP. I can't use DNS rewrite in the NAT object as the DNS server is on the local network and DNS rewrite would never see the traffic, plus I believe DNS rewrite breaks DNSSEC. I'm trying to avoid having to run BIND with views enabled. I'm pretty sure that I need hairpinning, but I can't seem to figure out the format of the pre-auto NAT command that would make this work?
same-security-traffic permit intra-interface and same-security-traffic permit inter-interface are in the config already.

TIA,
goronyAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Pete LongTechnical ConsultantCommented:
If your DNS Servers are on your LAN why not run splitDNS?

Windows - Setting Up Split DNS

Pete
0
goronyAuthor Commented:
I can run split DNS but I'm trying to combine this with virtualmin which doesn't automatically manage multiple views for BIND. Ultimately I'm trying to eliminate manual intervention or having to edit multiple zone files whenever a change is happening.
0
Pete LongTechnical ConsultantCommented:
I've had a ponder on this, and the only way I can think of to do this would be put in-each internal network on a different physical or sub interface on the ASA. Even then I'd have to sit and think about all the NAT possibilities.

This would also mean the firewall was LAN routing, which is possible but not something I usually advocate unless its a very small network.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
goronyAuthor Commented:
OK, so if I move the network to be like this:

            ASA
|----------|---------|
outside inside dmz

"outside" interface has 1st public IP from provider assigned range, sec level 0
"inside" interface has 10.1.1.1/24, sec level 100
"dmz" interface has 10.1.2.1/24, sec level 50

standard NAT applies:
nat (inside,outside) source dynamic inside-subnet interface
nat (dmz,outside) source dynamic dmz-hosts interface
object network webserver
 host 10.1.2.2
 nat (dmz,outside) static public.ip.goes.here

I can reach the server from the outside world.
I can ping from 10.1.1.(anything) to 10.1.2.2. But I can't get "inside" hosts to access "public.ip.goes.here". I can't seem to figure out the extra nat (inside,dmz) combo that will NAT the outbound destination of public.ip.goes.here to the object webserver's private IP.......

Thanks,
0
goronyAuthor Commented:
OK, so figured it out with the DMZ setup. I was pointing the NAT at an object NAT which doesn't seem to work, so creating additional non-auto-NAT'd object and pointing the pre-auto-NAT at that works;

object network inside-subnet
 subnet 192.168.1.0 255.255.255.0
object network webserver-inside
 host 10.1.1.2
object network webserver-otuside
 host public.ip.here
nat (inside,dmz) source static inside-subnet inside-subnet destintation static webserver-outside webserver-inside no-proxy-arp

rinse, repeat.

I guess I really should clean up the configs by removing the auto-nat objects and just using the -inside and -outside objects for the (outside,dmz) NAT entries as well as the (inside,dmz) NAT entries at some point.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.