ASA Version 8.4(3) interface Ethernet0/0 nameif outside security-level 0 ip address 126.96.36.199 255.255.255.240 ! interface Ethernet0/3 nameif inside security-level 100 ip address 192.168.200.253 255.255.255.0 ! same-security-traffic permit intra-interface object network External-Face-IP host 188.8.131.52 object network Network-London subnet 192.168.200.0 255.255.255.0 object network External-www.domain.com host 184.108.40.206 object network www.domain.com host 192.168.200.66 access-list outside_access_in extended permit tcp any object www.domain.com eq www nat (outside,inside) source static any any destination static any any destination static External-www.domain.com www.domain.com
I'm having difficulty configuring a NAT Hairpin (I believe is called this) on my Cisco ASA 5510.
I have a website "www.domain.com"; hosted on a server on our internal network. Externally people can access the website no problem but when attempting to access it internally, the website never resolves. I believe this is because the websites is on the same external ip subnet as the external face ip and the ASA needs to realise this and redirect to the internal ip address.
Can someone please take a look at my config about and suggest what I have done wrong?
I guess what I am after is this:
BUT with up-to-date syntax as the above link syntax doesn't seem to work for me.
object-group network Private-Addresses
network-object 10.0.0.0 255.0.0.0
network-object 172.16.0.0 255.240.0.0
network-object 192.168.0.0 255.255.0.0
nat (inside,inside) source dynamic Private-Addresses interface destination static [PUBLIC-ADDRESS-OBJECT][[PRIVATE-ADDRESS-OBJECT]
you need to create a group for private addresses and put this NAT above the NAT that services your external users. This worked for me anyway. The bit that I struggled with is that you need to change the source address to be that of the inside interface of your FW. Otherwise your webserver will return the traffic directly to the source, bypassing the firewall. The firewall will deny subsequent packets sent to the web server unless you allow tcp state bypass.