DNS doctoring / rewrite / hairpinning not working

Answered Question
Oct 3rd, 2013
User Badges:

Hi.


i have an ASA 5510

i have an exchance owa server that gets all traffic from 1 IP on 1 interface  (and then firewall allows only HTTPS)


I need this owa server to be able to access its own hosted website from its external adderss, which right now it cant.


so say from server i go to https://external.domain.com/exchange

this times out

it works ok from other computers, that do not have the ASA as they're default gateway. so the server is working and ports are forwarding correctly.


I ticked "DNS rewrite" on the static NAT rule but still not working.


any ideas?



Thanks

Correct Answer by Jouni Forss about 3 years 10 months ago

Hi,


So seems that you have a software that still uses the older NAT format since you are running 8.2 (big change from 8.3 onwards)


I am kind of wondering if this will work since usually people are asking a solution for similiar case but there the requirement is that the Internal hosts can contact the server using the public IP address.


If I were to presume the following starting information for these configurations

  • Interfaces named "inside" and "outside"
  • Public IP 1.1.1.1 Local IP 192.168.10.10
  • Existing Dynamic PAT configuration for the network 192.168.10.0/24 using ID 1 and PAT IP address is the "outside" interface IP address


Then the current configuration (part of it) might be this


global (outside) 1 interface

nat (inside) 1 192.168.10.0 255.255.255.0


static (inside,outside) 1.1.1.1 192.168.10.10 netmask 255.255.255.255


I would then probably try to add the following


global (inside) 1 interface


static (inside,inside) 1.1.1.1 192.168.10.10 netmask 255.255.255.255


And make sure the following setting is enabled on the ASA


same-security-traffic permit intra-interface


- Jouni

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jouni Forss Thu, 10/03/2013 - 02:10
User Badges:
  • Super Bronze, 10000 points or more

Hi,


I am not quite why the server needs to contact itself through the public IP address? Why wont it just use the local IP address or I wonder if the 127.0.0.1 loopback would work also?


Naturally you can configure a NAT configuration to enable this to work (or try atleast) but for that I would need to know the current software version of the ASA or see the NAT configurations currently on the firewall


- Jouni

smithcolm Thu, 10/03/2013 - 02:15
User Badges:

I dont know either, i'm also trying to follow up on that too!!


Cisco Adaptive Security Appliance Software Version 8.2(4)

Device Manager Version 6.2(1)


theres no real complex NAT stuff going on, the box is not the default gateway of most devices here, it just does NAT for some web servers and hosts a few vpns.

Correct Answer
Jouni Forss Thu, 10/03/2013 - 02:23
User Badges:
  • Super Bronze, 10000 points or more

Hi,


So seems that you have a software that still uses the older NAT format since you are running 8.2 (big change from 8.3 onwards)


I am kind of wondering if this will work since usually people are asking a solution for similiar case but there the requirement is that the Internal hosts can contact the server using the public IP address.


If I were to presume the following starting information for these configurations

  • Interfaces named "inside" and "outside"
  • Public IP 1.1.1.1 Local IP 192.168.10.10
  • Existing Dynamic PAT configuration for the network 192.168.10.0/24 using ID 1 and PAT IP address is the "outside" interface IP address


Then the current configuration (part of it) might be this


global (outside) 1 interface

nat (inside) 1 192.168.10.0 255.255.255.0


static (inside,outside) 1.1.1.1 192.168.10.10 netmask 255.255.255.255


I would then probably try to add the following


global (inside) 1 interface


static (inside,inside) 1.1.1.1 192.168.10.10 netmask 255.255.255.255


And make sure the following setting is enabled on the ASA


same-security-traffic permit intra-interface


- Jouni

smithcolm Thu, 10/03/2013 - 03:50
User Badges:

I am not sure if there is a requirement for this, as exchange is working..

in fact i am not going to bother even trying because i have been told we are updating exchange in the next few weeks.


thanks for your help though! :-)

Actions

This Discussion