11-15-2008 06:02 PM - edited 03-11-2019 07:13 AM
I have an ASA on 8.04, and have set up hairpinning to allow internal desktops to access a pair of servers via their public addresses. Config snippet below - essentially as per the CCO DNS doctoring document except for the second server. Desktop-server communication is working, but the servers also need to run FTP between them. This is not working.
My knowledge of the internal processes of the ASA is highly imperfect, but it seems to me there might be problems with getting all the needed translations, connection table entries etc, built correctlyin this context, particularly for TCP, since the ASA validates the handshake. My main question is, is communication between a pair of public addresses supported via hairpinning, and, if so, what config mods are necessary to support it?
Thanks.
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
global (Outside) 10 interface
global (Inside) 10 interface
nat (Inside) 0 access-list Inside_nat0_outbound
nat (Inside) 10 0.0.0.0 0.0.0.0
static (Inside,Inside) x.y.z.196 192.168.10.6 netmask 255.255.255.255
static (Inside,Inside) x.y.z.197 192.168.10.7 netmask 255.255.255.255
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
01-08-2009 06:40 PM
I am running into exactly the same issue, someone please help.
01-09-2009 04:49 PM
Hi,
This problem could be resolved via either DNS doctoring or hairpinging, please refer the solution to following url for details:
Rawson Fang
04-12-2009 06:17 PM
HI Dear,
Have you checked if DNS inspection enabled.
Please remember DNS inspection must be enabled in order to perform DNS doctoring on the security appliance. DNS inspection is on by default. However, if it has been turned off, please re-enable it first of all.
Also note that DNS doctoring is enabled when you add the dns keyword to a static NAT statement which I think in your case you have not done so DNS will not do the Internaml to internal mapping correctly.
As you know that In a typical DNS exchange a client sends a URL or hostname to a DNS server in order to determine the IP address of that host. The DNS server receives the request, looks up the name-to-IP-address mapping for that host, and then provides the A-record with the IP address to the client(Provides Public IP as in your case it is 192.168.x.y) as DNS server is outide the LAN.
While this procedure works well in many situations, problems can occur. These problems can occur when the client and the host that the client tries to reach are both on the same private network behind NAT, but the DNS server used by the client is on another public network.
In this scenario, the client is located on the inside interface of the ASA(192.168.x.y). The WWW server that the client tries to reach is located on the dmz interface of the ASA(10.10.x.y).
Dynamic PAT is configured to allow the client access to the Internet. Static NAT with an access-list is configured to allow the server access to the Internet, as well as allow Internet hosts to access the WWW server.
In this case, the client at 192.168.x.y wants to access the WWW server at 10.10.10.10. DNS services for the client are provided by the external DNS server at Routable IP addresses which you have assigned to the outside/WAN interface I think 40.40.40.78 or something in this range.
. Because the DNS server is located on another public network, it does not know the private IP address of the WWW server(something in the range 10.10.x.y or I think 10.10.10.10). Instead, it knows the WWW server mapped address of wan range ie. 40.40.40.x or something like this.
Thus, the DNS server contains the IP-address-to-name mapping of server.example.com to 40.40.40.x.
Without DNS doctoring or another solution enabled in this situation, if the client sends a DNS request for the IP address of WWW server using its name , it is unable to access the WWW server. This is because the client receives an A-record that contains the mapped public address of 40.40.40.x for the WWW server. When the client tries to access this IP address, the security appliance drops the packets because it does not allow packet redirection on the same interface.
As you have already made classmaps(kind of traffic of your interest) , policy maps(what action you want to take on this class map interseted traffic) and then apply policymaps to service-policy(attach it to the interface).
Here is an example as follows:
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
Kindly find the reference document for 3 interfaces as follows:
PIX/ASA: Perform DNS Doctoring with the static Command and Three NAT Interfaces Configuration Example
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968c8.shtml
Hope your problem resolve this time.
Please do not hesitate to ask if anything in this regard you need to consult.
Please revert if face any issue.
Best Regards,
Sachin
04-12-2009 06:25 PM
Hello Sachin,
The problem was resolved as an application issue on the servers. Hairpinning is working fine. Thank you.
Regards,
Mike Flanigan
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: