Solved: Allow traffic from NAT to NAT on same interface

pondersean · ‎07-30-2010

Hey everyone,

I've run into a problem with an ASA5510. Basically what I need to do is allow traffic from one NAT'd address to another NAT'd address on the same external interface.

So I have a client PC on an internal network and it initiates a call (on port 80) to an external IP address. But that external IP address is in fact a static NAT address being translated on that same external interface (the back-end IP is a load-balanced web server pool).

How do I allow that access?

Thanks for any input,

Sean

Magnus Mortensen · ‎07-30-2010

Sean,

8.3.1... tricky tricky... Here is something that may work in that situation:

object network host_A_internal

host ip_host_a_internal

object network host_A_external

host ip_host_a_external

object network host_B_internal

host ip_host_b_internal

object network host_B_external

host ip_host_b_external

nat (internal,internal) source static host_A_internal host_A_external destination static host_B_external host_B_internal

Basically we are NATting both the source and destination when we hairpin... We have to NAT the source since the return traffic must hit the ASA since it is TCP and we need to see both sides of the conversation.

- Magnus

View solution in original post

Magnus Mortensen · ‎07-30-2010

Sean,

We can do this by hair-pinning the traffic on the inside/internal interface:

Scenario: HOST A wants to access HOST B

same-security permit intra-interface

!

static (inside,inside) B_external B_internal

!
global (inside) 1 interface

Basically, when HOST A hit the inside interface destined for the B_External IP, the traffic will be hair-pinned back into the inside interface and HOST A will be PATted to the inside interface (assuming you have a 'nat (inside) 1' that would match this).

In thoery... that 'should' work.

- Magnus

pondersean · ‎07-30-2010

Magnus,

Thanks for looking at this.

Since I'm running on ASA code 8.3.1 everything is defined using objects and no more "global". Regardless, I defined my dynamic NAT to use the outside interface rather than the IP I had assigned for NAT traffic. Still no joy. I can see the TCP connection and translations being built, but I get SYN timeouts every time.

Magnus Mortensen · ‎07-30-2010

Sean,

8.3.1... tricky tricky... Here is something that may work in that situation:

object network host_A_internal

host ip_host_a_internal

object network host_A_external

host ip_host_a_external

object network host_B_internal

host ip_host_b_internal

object network host_B_external

host ip_host_b_external

nat (internal,internal) source static host_A_internal host_A_external destination static host_B_external host_B_internal

Basically we are NATting both the source and destination when we hairpin... We have to NAT the source since the return traffic must hit the ASA since it is TCP and we need to see both sides of the conversation.

- Magnus

pondersean · ‎08-05-2010

Seems to have worked. Thanks!!!