cancel
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
1034
Views
0
Helpful
3
Replies

ASA 5505 (9.1.3) - Hairpinning not working

LocateSolution
Level 1
Level 1

Hello,

in our internal LAN, I have some different servers, which can be access from the Internet by different ports. I do this by using NAT with specific services.

So let's say, we have the following IP addresses:

External IP address: 1.2.3.4

External domain  www.mycompany.de  which points to 1.2.3.4

Internal IP Address 192.168.1.1

My local PC: 192.168.1.2

Internal IP of my Webserver: 192.168.1.3

Now, I'd like use www.mycompany.de  to access my own website.

From outside this works fine, but from inside I just can't get it. I read some articles about hairpinning and tested some configurations.

DNS doctoring is no option, becuase I'd like to use it for different services (ports), that are hosted by different servers.

Configuration:

same-security-traffic permit intra-interface

nat (inside,outside) source static obj_192-168-1-3 interface service obj-tcp-source-eq-443 obj-tcp-source-eq-443

- NAT entry to reach the website from ouside. works fine.

nat (inside,inside) source static obj-external-ip obj_192-168-1-3 service obj-tcp-source-eq-443 obj-tcp-source-eq-443

- Test to reach it from inside, doesn't work.

- I already switched "obj-external-ip" and "obj_192-168-1-3", but this still doesn't work

When I try to reach the website now, I just get the following error in the log:

"Failed to locate egress interface for TCP from inside:192.168.1.2/64490 to 1.2.3.4/443"

I used this example, but unfortunately, this is for the "old" (< 8.2) configuration, so it doensn't work on newer versions:

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/71704-dns-doctoring-2zones.html#solution2

I think I am missing the following command, but i can't figure out, how it should be in new configuration formats:

nat (inside) 1 192.168.100.0 255.255.255.0

!--- The NAT statement defines which traffic should be natted. 

!--- The whole inside subnet in this case.

Maybe someone can help me?

Thank you,

Daniel

3 Replies 3

Swaraj Nambiar
Cisco Employee
Cisco Employee

Hi Daniel,

I think the issue that you see here is because of two reasons -

a) the mapped IP in your case is the outside interface IP address and in this scenario you would expect to see the traffic getting dropped with the syslog message you mentioned.

b) the source for this traffic should also be NAT'ed so that the reply packets from the internal server make its way back through the firewall. --> this however, is only a secondary issue and can be corrected using NAT.

Now, let us consider that you are using a different IP address from the interface IP on the outside to NAT the internal server. In that case, following is the NAT that needs to be configured on the ASA -

# nat (inside,inside) source dynamic obj_all interface destination static

I would not expect this to work with the outside interface being used as the mapped IP address.

Hope this helps.

- Swaraj

Hello Swaraj,

you are right, the IP address of my "Outside" interface is the same as the one, I try to NAT. In this example, it is 1.2.3.4.

So does it mean, this won't work?

Regards,

Daniel

I think there is some confusion on what you think DNS doctoring is doing.

Its nothing to do with different ports or services, it changes the embedded IP address with in a DNS response so that a client can successfully connect to the correct IP address of a server that lies internally

see http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/115753-dns-doctoring-asa-config.html

 

 

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: