Allow traffic from NAT to NAT on same interface

Answered Question
Jul 30th, 2010

Hey everyone,

     I've run into a problem with an ASA5510.  Basically what I need to do is allow traffic from one NAT'd address to another NAT'd address on the same external interface.

     So I have a client PC on an internal network and it initiates a call (on port 80) to an external IP address.  But that external IP address is in fact a static NAT address being translated on that same external interface (the back-end IP is a load-balanced web server pool). 

     How do I allow that access?

Thanks for any input,

Sean

I have this problem too.
0 votes
Correct Answer by Magnus Mortensen about 6 years 4 months ago

Sean,

     8.3.1... tricky tricky... Here is something that may work in that situation:

object network host_A_internal

   host ip_host_a_internal

object network host_A_external

   host ip_host_a_external

object network host_B_internal

   host ip_host_b_internal

object network host_B_external

   host ip_host_b_external

nat (internal,internal) source static host_A_internal host_A_external destination static host_B_external host_B_internal

Basically we are NATting both the source and destination when we hairpin... We have to NAT the source since the return traffic must hit the ASA since it is TCP and we need to see both sides of the conversation.

- Magnus

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Magnus Mortensen Fri, 07/30/2010 - 16:39

Sean,

     We can do this by hair-pinning the traffic on the inside/internal interface:

Scenario: HOST A wants to access HOST B

same-security permit intra-interface

!

static (inside,inside) B_external B_internal

!
global (inside) 1 interface

Basically, when HOST A hit the inside interface destined for the B_External IP, the traffic will be hair-pinned back into the inside interface and HOST A will be PATted to the inside interface (assuming you have a 'nat (inside) 1' that would match this).

In thoery... that 'should' work.

- Magnus

pondersean Fri, 07/30/2010 - 16:48

Magnus,

     Thanks for looking at this.

     Since I'm running on ASA code 8.3.1 everything is defined using objects and no more "global".    Regardless, I defined my dynamic NAT to use the outside interface rather than the IP I had assigned for NAT traffic.  Still no joy.  I can see the TCP connection and translations being built, but I get SYN timeouts every time.

Correct Answer
Magnus Mortensen Fri, 07/30/2010 - 17:05

Sean,

     8.3.1... tricky tricky... Here is something that may work in that situation:

object network host_A_internal

   host ip_host_a_internal

object network host_A_external

   host ip_host_a_external

object network host_B_internal

   host ip_host_b_internal

object network host_B_external

   host ip_host_b_external

nat (internal,internal) source static host_A_internal host_A_external destination static host_B_external host_B_internal

Basically we are NATting both the source and destination when we hairpin... We have to NAT the source since the return traffic must hit the ASA since it is TCP and we need to see both sides of the conversation.

- Magnus

Actions

This Discussion