Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

ASA 5505 (9.1.3) - Hairpinning not working

Hello,

in our internal LAN, I have some different servers, which can be access from the Internet by different ports. I do this by using NAT with specific services.

So let's say, we have the following IP addresses:

External IP address: 1.2.3.4

External domain  www.mycompany.de  which points to 1.2.3.4

Internal IP Address 192.168.1.1

My local PC: 192.168.1.2

Internal IP of my Webserver: 192.168.1.3

Now, I'd like use www.mycompany.de  to access my own website.

From outside this works fine, but from inside I just can't get it. I read some articles about hairpinning and tested some configurations.

DNS doctoring is no option, becuase I'd like to use it for different services (ports), that are hosted by different servers.

Configuration:

same-security-traffic permit intra-interface

nat (inside,outside) source static obj_192-168-1-3 interface service obj-tcp-source-eq-443 obj-tcp-source-eq-443

- NAT entry to reach the website from ouside. works fine.

nat (inside,inside) source static obj-external-ip obj_192-168-1-3 service obj-tcp-source-eq-443 obj-tcp-source-eq-443

- Test to reach it from inside, doesn't work.

- I already switched "obj-external-ip" and "obj_192-168-1-3", but this still doesn't work

When I try to reach the website now, I just get the following error in the log:

"Failed to locate egress interface for TCP from inside:192.168.1.2/64490 to 1.2.3.4/443"

I used this example, but unfortunately, this is for the "old" (< 8.2) configuration, so it doensn't work on newer versions:

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/71704-dns-doctoring-2zones.html#solution2

I think I am missing the following command, but i can't figure out, how it should be in new configuration formats:

nat (inside) 1 192.168.100.0 255.255.255.0

!--- The NAT statement defines which traffic should be natted. 

!--- The whole inside subnet in this case.

Maybe someone can help me?

Thank you,

Daniel

3 REPLIES
Community Member

ASA 5505 (9.1.3) - Hairpinning not working

Hi Daniel,

I think the issue that you see here is because of two reasons -

a) the mapped IP in your case is the outside interface IP address and in this scenario you would expect to see the traffic getting dropped with the syslog message you mentioned.

b) the source for this traffic should also be NAT'ed so that the reply packets from the internal server make its way back through the firewall. --> this however, is only a secondary issue and can be corrected using NAT.

Now, let us consider that you are using a different IP address from the interface IP on the outside to NAT the internal server. In that case, following is the NAT that needs to be configured on the ASA -

# nat (inside,inside) source dynamic obj_all interface destination static

I would not expect this to work with the outside interface being used as the mapped IP address.

Hope this helps.

- Swaraj

Community Member

ASA 5505 (9.1.3) - Hairpinning not working

Hello Swaraj,

you are right, the IP address of my "Outside" interface is the same as the one, I try to NAT. In this example, it is 1.2.3.4.

So does it mean, this won't work?

Regards,

Daniel

Community Member

I think there is some

I think there is some confusion on what you think DNS doctoring is doing.

Its nothing to do with different ports or services, it changes the embedded IP address with in a DNS response so that a client can successfully connect to the correct IP address of a server that lies internally

see http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/115753-dns-doctoring-asa-config.html

 

 

 

519
Views
0
Helpful
3
Replies
CreatePlease to create content