11-04-2010 04:09 AM - edited 03-11-2019 12:04 PM
Hi,
I have an ASA configured to make 1:1 NAT translations to inside servers.
The problem is that when I try access that servers from inside LAN using their Public IPs I got timeout.
I made some research and it looks like I need to make some adjustments to make "hairpinning" happen.
Here is my config for NAT section (related to hairpinning):
nat (inside) 101 10.1.0.0 255.255.255.0
static (inside,outside) x.x.x.81 10.1.0.14 netmask 255.255.255.255
static (inside,inside) x.x.x.81 10.1.0.14 netmask 255.255.255.255
But somehow this configuration is not working. x.x.x.81 is not a physical address
of Outside interface, this is just a "secondary" IP from a big block.
Any suggesstions?
Thanks in advance.
Solved! Go to Solution.
11-08-2010 04:04 AM
Hello Sergey,
You kindly attached the sh run global, it is necessary to have the entry global (inside) 101 interface, otherwise you are going to have the error messages regarding the port map translation creation failed.
Hope it helps.
Mike
11-04-2010 04:15 AM
You also need to configure the following:
same-security-traffic permit intra-interface
global (inside) 101 interface
Please also make sure that "no sysopt noproxyarp inside" is configured, and if you have ACL applied to your inside interface, you would also need to allow that traffic.
Hope that helps.
11-04-2010 04:30 AM
Hi,
Thanks for your reply.
> You also need to configure the following:
> same-security-traffic permit intra-interface
> global (inside) 101 interface
> no sysopt noproxyarp inside
These settings were already configured.
Inside interface has an incoming access list with "permit any any" statement only.
I receive the following error when I try to access server using public IP from inside host:
portmap translation creation failed for tcp src inside:10.1.0.12/49340 dst inside:x.x.x.81/24
11-06-2010 09:00 AM
Is there anything else which might be double checked? Thanks.
11-06-2010 12:38 PM
Hello Sergey,
The problem is NAT, and it seems like there is something wrong with the global inside, can you double check it? Also you would you please paste the sh run static, sh run nat and sh run global ?
Thanks
Mike
11-08-2010 01:48 AM
Hi Maykol,
I have tree interfaces:
Outside (with public IP (x.x.x.70) direclty assigned to the interface and two more secondary public IPs (x.x.x.80 and x.x.x.80) used in static NAT configuration).
Inside interface with 10.1.0.0/24 addressing and couple of servers using port and static NAT traslations.
Inside2 interface with 172.22.15.0/24 addressing - separate subnet with one inside server configured for static NAT.
Here is a part of NAT section currently in place on the device:
global (outside) 101 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 101 10.1.0.0 255.255.255.0
nat (inside2) 101 172.22.15.0 255.255.255.0
static (inside,outside) tcp interface www Server1 www netmask 255.255.255.255
static (inside,outside) tcp interface imap4 Server1 imap4 netmask 255.255.255.255
static (inside,outside) tcp interface pop3 Server1 pop3 netmask 255.255.255.255
static (inside,outside) tcp interface smtp CiscoBlocker smtp netmask 255.255.255.255
static (inside,outside) tcp interface https Server1 https netmask 255.255.255.255
static (inside,outside) tcp interface 3389 Server1 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 63389 Netmon_10.1.0.12 3389 netmask 255.255.255.255
static (inside2,outside) x.x.x.80 172.22.15.7 netmask 255.255.255.255
static (inside,outside) x.x.x.81 10.1.0.14 netmask 255.255.255.255
static (inside,inside) x,x.x.81 10.1.0.14 netmask 255.255.255.255
"Show run static" output:
static (inside,outside) tcp interface www Server1 www netmask 255.255.255.255
static (inside,outside) tcp interface imap4 Server1 imap4 netmask 255.255.255.255
static (inside,outside) tcp interface pop3 Server1 pop3 netmask 255.255.255.255
static (inside,outside) tcp interface smtp CiscoBlocker smtp netmask 255.255.255.255
static (inside,outside) tcp interface https Server1 https netmask 255.255.255.255
static (inside,outside) tcp interface 3389 Server1 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 63389 Netmon_10.1.0.12 3389 netmask 255.255.255.255
static (inside2,outside) x.x.x.80 172.22.15.7 netmask 255.255.255.255
static (inside,outside) x.x.x.81 10.1.0.14 netmask 255.255.255.255
static (inside,inside) x.x.x.81 10.1.0.14 netmask 255.255.255.255
"Show run nat" output:
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 101 10.1.0.0 255.255.255.0
nat (inside2) 101 172.22.15.0 255.255.255.0
"Show run global" output:
global (outside) 101 interface
Any suggestions\recommendations are highly appreciated.
Thanks in advance.
11-08-2010 04:04 AM
Hello Sergey,
You kindly attached the sh run global, it is necessary to have the entry global (inside) 101 interface, otherwise you are going to have the error messages regarding the port map translation creation failed.
Hope it helps.
Mike
11-08-2010 09:22 PM
Hi Mike,
Sorry, I totally lost the global (inside) 101 interface command, which was indicated in the official hairpinning guide I used as a reference.
I finally got the server on "inside" interfface working from "inside" LAN via public IP. Thanks a lot!
But I have another goal I need to achive. Hope you would be able to help with this as well.
Currently, the NAT section looks like this:
global (outside) 101 interface
global (inside) 101 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 101 10.1.0.0 255.255.255.0
nat (inside2) 101 172.22.15.0 255.255.255.0
static (inside,outside) tcp interface www Server1 www netmask 255.255.255.255
static (inside,outside) tcp interface imap4 Server1 imap4 netmask 255.255.255.255
static (inside,outside) tcp interface pop3 Server1 pop3 netmask 255.255.255.255
static (inside,outside) tcp interface smtp CiscoBlocker smtp netmask 255.255.255.255
static (inside,outside) tcp interface https Server1 https netmask 255.255.255.255
static (inside,outside) tcp interface 3389 Server1 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 63389 Netmon_10.1.0.12 3389 netmask 255.255.255.255
static (inside2,outside) x.x.x.80 172.22.15.7 netmask 255.255.255.255
static (inside,outside) x.x.x.x.81 10.1.0.14 netmask 255.255.255.255
static (inside,inside) x.x.x.81 10.1.0.14 netmask 255.255.255.255
My target is to have two servers with static NAT configured for both (10.1.0.14=x.x.x.81 and 172.22.15.7=x.x.x.80) be able to communicate with each other and between inside\inside2 subnets using public addressing (they are smtp servers and MX records for domains they manage point to public IPs, not to private ones).
I tried to implement the following adjustment to NAT config (similar to what has been done to "inside" interface):
global (inside2) 101 interface
static (inside2,inside2) x.x.x.80 172.22.15.7 netmask 255.255.255.255
static (inside2,inside) x.x.x.80 172.22.15.7 netmask 255.255.255.255
static (inside,inside2) x.x.x.81 10.1.0.14 netmask 255.255.255.255
I've got successful result accessing the x.x.x.80 (which is physically on "inside2" inferface) from some "inside" LAN host, but got zero result accessing this server from 10.1.0.14 server itself (which is vital).
Could you please point me what I've done wrong this time? Do I need to use different NAT IDs in this design?
Thanks in advance.
11-15-2010 10:50 AM
I almost lost hope. Any suggestions? Thanks.
11-15-2010 11:46 AM
Having
static (inside2,inside2) x.x.x.80 172.22.15.7 netmask 255.255.255.255
static (inside2,inside) x.x.x.80 172.22.15.7 netmask 255.255.255.255
will hairpin 172.22.15.7 behind the inside2 and also translate him on the inside.
So, these static should work for inside2 and inside hosts trying to reach x.x.x.80.
Not that if an inside2 host talks to him, the return traffic will not hit the ASA, which could cause stateful inspection issues since the ASA will not be seeing the return traffic. And in that case you might need tcp state bypass for that flow.
Which of the two is not working, inside to inside2? Or inside2 to inside2?
Can you run a packet tracer for the flow that is not working?
PK
11-16-2010 11:08 AM
Just cleared and reconfigured everything back. Maybe it was a mistype somewhere.
Now everything is working as needed. Thanks a lot to everyone who participated in this discussion.
11-16-2010 11:15 AM
Glad it worked...
PK
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: