×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

NAT Hairpin / DNS Rewrite

Answered Question
Mar 20th, 2014
User Badges:
ASA Version 8.4(3)

interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 8.8.8.148 255.255.255.240
!

interface Ethernet0/3
 nameif inside
 security-level 100
 ip address 192.168.200.253 255.255.255.0
!

same-security-traffic permit intra-interface

object network External-Face-IP
 host 8.8.8.158

object network Network-London
 subnet 192.168.200.0 255.255.255.0

object network External-www.domain.com
 host 8.8.8.152

object network www.domain.com
 host 192.168.200.66

access-list outside_access_in extended permit tcp any object www.domain.com eq www 

nat (outside,inside) source static any any destination static any any destination static External-www.domain.com www.domain.com

Hi All,

I'm having difficulty configuring a NAT Hairpin (I believe is called this) on my Cisco ASA 5510.

I have a website "www.domain.com"; hosted on a server on our internal network. Externally people can access the website no problem but when attempting to access it internally, the website never resolves. I believe this is because the websites is on the same external ip subnet as the external face ip and the ASA needs to realise this and redirect to the internal ip address.

Can someone please take a look at my config about and suggest what I have done wrong?

UPDATE:

I guess what I am after is this:

http://www.techrepublic.com/blog/data-center/cisco-asa-and-dns-pain-is-there-a-doctor-in-the-house/#.

BUT with up-to-date syntax as the above link syntax doesn't seem to work for me.

 

Many thanks,

Tarran

 

Correct Answer by Tormod Macleod about 3 years 5 months ago

object-group network Private-Addresses
 network-object 10.0.0.0 255.0.0.0
 network-object 172.16.0.0 255.240.0.0
 network-object 192.168.0.0 255.255.0.0

nat (inside,inside) source dynamic Private-Addresses interface destination static [PUBLIC-ADDRESS-OBJECT][[PRIVATE-ADDRESS-OBJECT]

you need to create a group for private addresses and put this NAT above the NAT that services your external users. This worked for me anyway. The bit that I struggled with is that you need to change the source address to be that of the inside interface of your FW. Otherwise your webserver will return the traffic directly to the source, bypassing the firewall. The firewall will deny subsequent packets sent to the web server unless you allow tcp state bypass.

Good luck

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
lcambron Thu, 03/20/2014 - 16:56
User Badges:
  • Bronze, 100 points or more

Hello,

 

Here's what you need:

same-security permit intra-interface

nat (inside,inside) source static any any destination static External-www.domain.com www.domain.com

Regards,

Felipe.

 
 Remember to rate useful posts.

Mike Williams Thu, 03/20/2014 - 19:29
User Badges:
  • Bronze, 100 points or more

Hi Tarran,

Felipe presented is a perfectly acceptable solution for hairpinning throught the ASA. You mentioned an article for DNS doctoring. The correct syntax for 8.3+ is as follows using auto NAT:

object network www.domain.com
 host 192.168.200.66
 nat (inside,outside) static 8.8.8.152 dns

or using manual NAT, as you have in your config:

nat (inside,outside) source static External-www.domain.com dns

And while those are both great solutions, I have found that using split-horizon DNS is a much better solution most of the time.

With split-horizon DNS, you create a DNS zone on your internal DNS server that contains the necessary records for your public DNS zone, only using private IP addresses where necessary. 

For example, I have a domain of awesome.com. Normally, when I resolve www.awesome.com, it goes out to my public DNS server and returns 8.8.8.152. If I implement split-dns, my internal DNS server will resolve the same FQDN, but will resolve it to 192.168.200.66. 

Split-horizon DNS typically gives you a lot more control over your DNS and doesn't force you to use akward configurations on your firewall.

 

Regards,

Mike

Correct Answer
Tormod Macleod Fri, 03/21/2014 - 04:23
User Badges:

object-group network Private-Addresses
 network-object 10.0.0.0 255.0.0.0
 network-object 172.16.0.0 255.240.0.0
 network-object 192.168.0.0 255.255.0.0

nat (inside,inside) source dynamic Private-Addresses interface destination static [PUBLIC-ADDRESS-OBJECT][[PRIVATE-ADDRESS-OBJECT]

you need to create a group for private addresses and put this NAT above the NAT that services your external users. This worked for me anyway. The bit that I struggled with is that you need to change the source address to be that of the inside interface of your FW. Otherwise your webserver will return the traffic directly to the source, bypassing the firewall. The firewall will deny subsequent packets sent to the web server unless you allow tcp state bypass.

Good luck

Tarran Mon, 03/24/2014 - 02:43
User Badges:

Thank you everyone for your help. I tried everyone's manual NAT suggestions but the one that worked for me was TormodMacleod:

nat (inside,inside) source dynamic Network-London interface destination static External-www.domain.com www.domain.com

Thanks again everyone - truly appreciated.

Actions

This Discussion

Related Content