accessing outside IP of NATed services from VPN on same IF?
We have two datacenters, with an ASA 5510 pair in one (datacenter A) and an ASA 5520
pair in the other (datacenter B). The 5510 presents multiple web-based services to the Internet via static NAT. We also have a site-to-site VPN connecting the two datacenters. Prior to installing the ASA 5510s, we had some open-source managed firewalls which made the same web services Internet-accessible. To eliminate the need to configure and manage split-horizon DNS, we used the external addresses of DC A to access the web services from DC B. There were never any connectivity issues.
Since upgrading to the 5510s, we can't access any external addresses on the 5510s from the LAN subnet (behind the 5520s) in DC B. We have hairpinning/U-turn enabled for the 5510 and 5520s, and we know that works becuase we have remote access users that required it. The site-to-site VPN tunnels terminate on the same interface to which the web services are NATed.
Is it possible for traffic coming through a VPN tunnel terminating on an ASA to access addresses NATed to the same interface? If so, what should I be looking for as missing in my configuration?
Some data to illustrate what I mean:
DC B private subnet: 10.0.0.0/24
DC A private subnet: 10.1.0.0/24
DB A public subnet: 18.104.22.168/24
webservice: 10.1.0.10 NAT to 22.214.171.124
webservice: 10.1.0.25 NAT to 126.96.36.199
We need to be able to connect from 10.0.0.1 to 188.8.131.52 and 184.108.40.206. Both connections fail. We have to connect to 10.1.0.10 and 10.1.0.25, with separate DNS zones/records required.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...