Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Allow traffic from NAT to NAT on same interface

Hey everyone,

     I've run into a problem with an ASA5510.  Basically what I need to do is allow traffic from one NAT'd address to another NAT'd address on the same external interface.

     So I have a client PC on an internal network and it initiates a call (on port 80) to an external IP address.  But that external IP address is in fact a static NAT address being translated on that same external interface (the back-end IP is a load-balanced web server pool). 

     How do I allow that access?

Thanks for any input,

Sean

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Allow traffic from NAT to NAT on same interface

Sean,

     8.3.1... tricky tricky... Here is something that may work in that situation:

object network host_A_internal

   host ip_host_a_internal

object network host_A_external

   host ip_host_a_external

object network host_B_internal

   host ip_host_b_internal

object network host_B_external

   host ip_host_b_external

nat (internal,internal) source static host_A_internal host_A_external destination static host_B_external host_B_internal

Basically we are NATting both the source and destination when we hairpin... We have to NAT the source since the return traffic must hit the ASA since it is TCP and we need to see both sides of the conversation.

- Magnus

4 REPLIES
Cisco Employee

Re: Allow traffic from NAT to NAT on same interface

Sean,

     We can do this by hair-pinning the traffic on the inside/internal interface:

Scenario: HOST A wants to access HOST B

same-security permit intra-interface

!

static (inside,inside) B_external B_internal

!
global (inside) 1 interface

Basically, when HOST A hit the inside interface destined for the B_External IP, the traffic will be hair-pinned back into the inside interface and HOST A will be PATted to the inside interface (assuming you have a 'nat (inside) 1' that would match this).

In thoery... that 'should' work.

- Magnus

New Member

Re: Allow traffic from NAT to NAT on same interface

Magnus,

     Thanks for looking at this.

     Since I'm running on ASA code 8.3.1 everything is defined using objects and no more "global".    Regardless, I defined my dynamic NAT to use the outside interface rather than the IP I had assigned for NAT traffic.  Still no joy.  I can see the TCP connection and translations being built, but I get SYN timeouts every time.

Cisco Employee

Re: Allow traffic from NAT to NAT on same interface

Sean,

     8.3.1... tricky tricky... Here is something that may work in that situation:

object network host_A_internal

   host ip_host_a_internal

object network host_A_external

   host ip_host_a_external

object network host_B_internal

   host ip_host_b_internal

object network host_B_external

   host ip_host_b_external

nat (internal,internal) source static host_A_internal host_A_external destination static host_B_external host_B_internal

Basically we are NATting both the source and destination when we hairpin... We have to NAT the source since the return traffic must hit the ASA since it is TCP and we need to see both sides of the conversation.

- Magnus

New Member

Re: Allow traffic from NAT to NAT on same interface

Seems to have worked.  Thanks!!!

748
Views
0
Helpful
4
Replies