gorony
asked on
Cisco ASA 9.1(5) Hairpin NAT
I have a network where I have 2 active interfaces on an ASA 5500 series firewall (inside,outside).
There are 2 networks on the inside interface, 10.1.1.0/24 and 10.1.2.0/4
I have static NAT objects in place to accept outside requests for the public IP to the inside IP, all works fine.
I have a catch-all outbound PAT for the remaining IPs on the inside networks going to the Internet. Surfing works fine.
An example of one of the static NAT'd external host is:
object network server1
host 10.1.1.20
object network server1
nat (inside,outside) static real.ip.addr.here
What I'm having a problem with is having other inside hosts get to the inside servers via their public IP. I can't use DNS rewrite in the NAT object as the DNS server is on the local network and DNS rewrite would never see the traffic, plus I believe DNS rewrite breaks DNSSEC. I'm trying to avoid having to run BIND with views enabled. I'm pretty sure that I need hairpinning, but I can't seem to figure out the format of the pre-auto NAT command that would make this work?
same-security-traffic permit intra-interface and same-security-traffic permit inter-interface are in the config already.
TIA,
There are 2 networks on the inside interface, 10.1.1.0/24 and 10.1.2.0/4
I have static NAT objects in place to accept outside requests for the public IP to the inside IP, all works fine.
I have a catch-all outbound PAT for the remaining IPs on the inside networks going to the Internet. Surfing works fine.
An example of one of the static NAT'd external host is:
object network server1
host 10.1.1.20
object network server1
nat (inside,outside) static real.ip.addr.here
What I'm having a problem with is having other inside hosts get to the inside servers via their public IP. I can't use DNS rewrite in the NAT object as the DNS server is on the local network and DNS rewrite would never see the traffic, plus I believe DNS rewrite breaks DNSSEC. I'm trying to avoid having to run BIND with views enabled. I'm pretty sure that I need hairpinning, but I can't seem to figure out the format of the pre-auto NAT command that would make this work?
same-security-traffic permit intra-interface and same-security-traffic permit inter-interface are in the config already.
TIA,
ASKER
I can run split DNS but I'm trying to combine this with virtualmin which doesn't automatically manage multiple views for BIND. Ultimately I'm trying to eliminate manual intervention or having to edit multiple zone files whenever a change is happening.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
OK, so if I move the network to be like this:
ASA
|----------|---------|
outside inside dmz
"outside" interface has 1st public IP from provider assigned range, sec level 0
"inside" interface has 10.1.1.1/24, sec level 100
"dmz" interface has 10.1.2.1/24, sec level 50
standard NAT applies:
nat (inside,outside) source dynamic inside-subnet interface
nat (dmz,outside) source dynamic dmz-hosts interface
object network webserver
host 10.1.2.2
nat (dmz,outside) static public.ip.goes.here
I can reach the server from the outside world.
I can ping from 10.1.1.(anything) to 10.1.2.2. But I can't get "inside" hosts to access "public.ip.goes.here". I can't seem to figure out the extra nat (inside,dmz) combo that will NAT the outbound destination of public.ip.goes.here to the object webserver's private IP.......
Thanks,
ASA
|----------|---------|
outside inside dmz
"outside" interface has 1st public IP from provider assigned range, sec level 0
"inside" interface has 10.1.1.1/24, sec level 100
"dmz" interface has 10.1.2.1/24, sec level 50
standard NAT applies:
nat (inside,outside) source dynamic inside-subnet interface
nat (dmz,outside) source dynamic dmz-hosts interface
object network webserver
host 10.1.2.2
nat (dmz,outside) static public.ip.goes.here
I can reach the server from the outside world.
I can ping from 10.1.1.(anything) to 10.1.2.2. But I can't get "inside" hosts to access "public.ip.goes.here". I can't seem to figure out the extra nat (inside,dmz) combo that will NAT the outbound destination of public.ip.goes.here to the object webserver's private IP.......
Thanks,
ASKER
OK, so figured it out with the DMZ setup. I was pointing the NAT at an object NAT which doesn't seem to work, so creating additional non-auto-NAT'd object and pointing the pre-auto-NAT at that works;
object network inside-subnet
subnet 192.168.1.0 255.255.255.0
object network webserver-inside
host 10.1.1.2
object network webserver-otuside
host public.ip.here
nat (inside,dmz) source static inside-subnet inside-subnet destintation static webserver-outside webserver-inside no-proxy-arp
rinse, repeat.
I guess I really should clean up the configs by removing the auto-nat objects and just using the -inside and -outside objects for the (outside,dmz) NAT entries as well as the (inside,dmz) NAT entries at some point.
object network inside-subnet
subnet 192.168.1.0 255.255.255.0
object network webserver-inside
host 10.1.1.2
object network webserver-otuside
host public.ip.here
nat (inside,dmz) source static inside-subnet inside-subnet destintation static webserver-outside webserver-inside no-proxy-arp
rinse, repeat.
I guess I really should clean up the configs by removing the auto-nat objects and just using the -inside and -outside objects for the (outside,dmz) NAT entries as well as the (inside,dmz) NAT entries at some point.
Windows - Setting Up Split DNS
Pete