Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA 8.3 hairpinning

Hi,

I need to configure hairpinnig to asa with 8.3 software.

There is a web server located in lan. Clients have to connect it via public name, and name resolves to public ip.

I have static nat for that server - it works fine from outside, but inside hosts cannot access it.

How to proceed?

6 REPLIES
Cisco Employee

Re: ASA 8.3 hairpinning

You may rather use dns doctoring than hairpining of the server is on the same interface than lan server.

Basically, you create a static nat entry of your public and private server adress adding the dns keyword.

More explanation here:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968c8.shtml#solution

New Member

Re: ASA 8.3 hairpinning

Those NAT example are for pre-8.3 software. As you know nat is quite different now.

Re: ASA 8.3 hairpinning

You have a couple of different options. Check the following link-

https://supportforums.cisco.com/thread/2010979

New Member

Re: ASA 8.3 hairpinning

Internal DNS is solution for us.

I'm just curious how to do it with 8.3 software by hairpinning or dns rewrite.

Cisco Employee

Re: ASA 8.3 hairpinning

Hi,

If the server is located on the same interface as the clients (i am asuming "inside" over here) , the command will look something like this:

object network Server

host 10.1.1.1

nat (inside,inside) static 1.1.1.1

Here, i have assumed the public IP of the server returned by your DNS server is 1.1.1.1 and the real IP address of the server is 10.1.1.1. In addition you will also need

same-security-traffic permit intra-interface

and also "tcp-state-bypass" and "random-sequence-number disable". Assuming your network range of client is 10.1.1.0/24, the config would look something like this:

access-list bypass permit tcp 10.1.1.0 255.255.255.0 host 10.1.1.1

class-map bypass

match access-list bypass

policy-map global_policy

class bypass

set connection advanced option tcp-state-bypass

set connection random-sequence-number disable

Hope this helps!!

Thanks and Regards,

Prapanch

Cisco Employee

Re: ASA 8.3 hairpinning

If your dns request from the inside go through this ASA, I think the easier solution dns doctoring. The syntax for 8.3 would be

object network Server

  host 10.1.1.1

  nat (inside,inside) static 1.1.1.1 dns

I hope it helps.

PK

2587
Views
3
Helpful
6
Replies
CreatePlease login to create content