Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2813
Views
3
Helpful
6
Replies

ASA 8.3 hairpinning

jtillonen
Level 1
Level 1

‎10-08-2010 05:30 AM - edited ‎03-11-2019 11:52 AM

Hi,

I need to configure hairpinnig to asa with 8.3 software.

There is a web server located in lan. Clients have to connect it via public name, and name resolves to public ip.

I have static nat for that server - it works fine from outside, but inside hosts cannot access it.

How to proceed?

Labels:
0 Helpful
6 Replies 6

Bastien Migette
Cisco Employee
Cisco Employee

‎10-08-2010 06:21 AM

You may rather use dns doctoring than hairpining of the server is on the same interface than lan server.

Basically, you create a static nat entry of your public and private server adress adding the dns keyword.

More explanation here:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968c8.shtml#solution

0 Helpful

jtillonen
Level 1
Level 1
In response to Bastien Migette

‎10-08-2010 07:25 AM

Those NAT example are for pre-8.3 software. As you know nat is quite different now.

0 Helpful

Collin Clark
VIP Alumni
VIP Alumni

‎10-08-2010 06:33 AM

You have a couple of different options. Check the following link-

https://supportforums.cisco.com/thread/2010979

0 Helpful

jtillonen
Level 1
Level 1
In response to Collin Clark

‎10-08-2010 07:27 AM

Internal DNS is solution for us.

I'm just curious how to do it with 8.3 software by hairpinning or dns rewrite.

0 Helpful

praprama
Cisco Employee
Cisco Employee
In response to jtillonen

‎10-08-2010 08:33 AM

Hi,

If the server is located on the same interface as the clients (i am asuming "inside" over here) , the command will look something like this:

object network Server

host 10.1.1.1

nat (inside,inside) static 1.1.1.1

Here, i have assumed the public IP of the server returned by your DNS server is 1.1.1.1 and the real IP address of the server is 10.1.1.1. In addition you will also need

same-security-traffic permit intra-interface

and also "tcp-state-bypass" and "random-sequence-number disable". Assuming your network range of client is 10.1.1.0/24, the config would look something like this:

access-list bypass permit tcp 10.1.1.0 255.255.255.0 host 10.1.1.1

class-map bypass

match access-list bypass

policy-map global_policy

class bypass

set connection advanced option tcp-state-bypass

set connection random-sequence-number disable

Hope this helps!!

Thanks and Regards,

Prapanch

0 Helpful

Panos Kampanakis
Cisco Employee
Cisco Employee
In response to jtillonen

‎10-11-2010 09:50 AM

If your dns request from the inside go through this ASA, I think the easier solution dns doctoring. The syntax for 8.3 would be

object network Server

  host 10.1.1.1

  nat (inside,inside) static 1.1.1.1 dns

I hope it helps.

PK

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card