Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

Cisco ASA 5520 (asa 8.2) hairpinning

Hi All,

We have a ASA 5520 (redundant) in our network which we are using for different customers. For every new customer we create a new VLAN and place their servers in this VLAN. On the ASA we create a new subinterface for every customer which is connected to the corresponding VLAN.

Most customers get a private ip-range (e.g. 192.168.x.x/24) on which they should configure their servers. Because most customers don't need to be to access eachothers server all VLAN interfaces have the same security-level of 50. I haven't enable the "same-security-traffic permit inter-interface" option, so traffic between those interfaces is blocked, as expected.

Some customers (e.g. customer A) need public webmail of smtp access to there servers. So we use both NAT and PAT to make that happen.

So, recently we've got a customer (customer B) who placed their webservers behind our ASA. Because we didn't want to use NAT statements all the time, we dediced to configure a public /29 subnet on their VLAN. Because the website on this customer's servers need to be visible for everybody, we've lowered the security-level of this VLAN interface to 40 (instead of 50) and applied some ACL's. So other customers (e.g. customer A) are also able to reach the websites of customer B. So everything is just working fine.

Now, customer A decided that they want to run their website on their own servers as well. So, I created a static PAT for TCP 80. So the website is accessible from the outside world. But.....customer B is not able to reach customer A's website on the translated address. So, I've created a second PAT (using the same public address) but this time to customer B's interface. But still, we're not able to reach customer A's website.

I've also enabled the "same-security-traffic permit intra-interface", but still the website is unreachable to customer B.

Here's a small drawing of the situation:

drawing.jpg

The ip-addresses are, of course, not real.

Can anybody place help me with this issue?

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Cisco ASA 5520 (asa 8.2) hairpinning

No , you should not enable it.

The easiest way to troubleshoot access issues is by using packet tracer .

packet-tracer input Customer_A tcp Customer_A_IP 2000 Customber_B_Server 80 detailed

I hope that I didnt mess up the command

4 REPLIES

Re: Cisco ASA 5520 (asa 8.2) hairpinning

Hi Ron ,

First of all check if nat-control is enabled :

show nat-control

Then the main idea is that with nat-control on , the traffic from a higher security-level ( 40 ) to a lower security-level (30) must be SNAT ed. In other words the Customer B source must be changed in order to access Customer A server.

Let's check if my assumptions are the ones that generate the problem.

Dan

New Member

Re: Cisco ASA 5520 (asa 8.2) hairpinning

Hi Dan,

Thanks for your response.

I've just check and nat-control is NOT enabled on the ASA. So I'm not sure, should or should I not enable this option?

Kind regards,

Ron

Re: Cisco ASA 5520 (asa 8.2) hairpinning

No , you should not enable it.

The easiest way to troubleshoot access issues is by using packet tracer .

packet-tracer input Customer_A tcp Customer_A_IP 2000 Customber_B_Server 80 detailed

I hope that I didnt mess up the command

New Member

Re: Cisco ASA 5520 (asa 8.2) hairpinning

That's a very cool command that I didn't know about.

I see that the packet is drop at phase 7 (NAT-EXEMPT).

------------

Phase: 7

Type: NAT-EXEMPT

Subtype: rpf-check

Result: DROP

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0x74455b60, priority=6, domain=nat-exempt-reverse, deny=false

        hits=61, user_data=0x744558f0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0

        src ip=Cust_B_LAN, mask=255.255.255.240, port=0

        dst ip=Cust_A_LAN, mask=255.255.255.0, port=0, dscp=0x0

Result:

input-interface: Cust_B

input-status: up

input-line-status: up

output-interface: Cust_A

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

--------------------------

I seemed that I had a nonat rule messing the communication between these interfaces. After removing it, the traffic was flowing just fine.

Thanks for your support.

Ron

1286
Views
5
Helpful
4
Replies
CreatePlease to create content