Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA NAT Loopback

I have a requirement to access one of our outside interface IP addresses from inside the network.

The scenario is we have teleworker devices that we provision in house before sending out. These devices cannot use a hostname but must be programmed with the IP. I would like to able to confirm these devices are working before shipping them out.

I've been attempting some kind of loopback/hair pinning NAT rules but haven't managed to get one working yet.

Any help would be greatly appreciated.

Device: ASA 5510  v8.4

4 REPLIES

ASA NAT Loopback

Hi Bro

There's no provision for interface loopback in Cisco ASA. What you can do is, set an IP Address, Subnetmask and Default Gateway on those teleworker devices, place them on the INSIDE nameif of the Cisco ASA, and try to access devices on the OUTSIDE nameif of the Cisco ASA. You can ping the OUTSIDE IP Address from INSIDE, provided you've the management-access outside command, but this is messy.

P/S: If you think this comment is useful, please do rate them nicely :-)

Warm regards, Ramraj Sivagnanam Sivajanam Technical Specialist/Service Delivery Manager – Managed Service Department
New Member

ASA NAT Loopback

I don't think I explained it very well.

The device the teleworkers need access to is on the inside. But I don't want to programme the teleworks with the internal IP as that obviously won't work when they are shiped out.

209.x.x157 is static NAT'd to 10.1.11.9

I need for the teleworkers to be able to reach 209.x.x.157 from the inside rather than having to use 10.1.11.9.

Hopefully that better explains it.

Re: ASA NAT Loopback

If that's the case, you'll need to enable Cisco DNS Doctoring in your Cisco FW. You could refer to this Cisco URL as a guide http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968d1.shtml

      

P/S: If you think this comment is useful, please do rate it nicely :-)

Warm regards, Ramraj Sivagnanam Sivajanam Technical Specialist/Service Delivery Manager – Managed Service Department
New Member

Re: ASA NAT Loopback

As I understand it, DNS doctoring simply hijacks the DNS request and replaces the external IP with the internal. I don't see how that is going to help considering there are no DNS requests taking place.

If I could programme the teleworker devices with a hostname I would just run split DNS and call it a day. Unfortunately I cannot.

As much as I dislike SonicWALL devices, a loopback NAT rule is a 15 second task on them. In fact most are auto generated.

1746
Views
0
Helpful
4
Replies