I have an ASA on 8.04, and have set up hairpinning to allow internal desktops to access a pair of servers via their public addresses. Config snippet below - essentially as per the CCO DNS doctoring document except for the second server. Desktop-server communication is working, but the servers also need to run FTP between them. This is not working.
My knowledge of the internal processes of the ASA is highly imperfect, but it seems to me there might be problems with getting all the needed translations, connection table entries etc, built correctlyin this context, particularly for TCP, since the ASA validates the handshake. My main question is, is communication between a pair of public addresses supported via hairpinning, and, if so, what config mods are necessary to support it?
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
global (Outside) 10 interface
global (Inside) 10 interface
nat (Inside) 0 access-list Inside_nat0_outbound
nat (Inside) 10 0.0.0.0 0.0.0.0
static (Inside,Inside) x.y.z.196 192.168.10.6 netmask 255.255.255.255
static (Inside,Inside) x.y.z.197 192.168.10.7 netmask 255.255.255.255
policy-map type inspect dns migrated_dns_map_1
message-length maximum 512
inspect dns migrated_dns_map_1
inspect h323 h225
inspect h323 ras
service-policy global_policy global