Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

DNS doctoring / rewrite / hairpinning not working

Hi.

i have an ASA 5510

i have an exchance owa server that gets all traffic from 1 IP on 1 interface  (and then firewall allows only HTTPS)

I need this owa server to be able to access its own hosted website from its external adderss, which right now it cant.

so say from server i go to https://external.domain.com/exchange

this times out

it works ok from other computers, that do not have the ASA as they're default gateway. so the server is working and ports are forwarding correctly.

I ticked "DNS rewrite" on the static NAT rule but still not working.

any ideas?

Thanks

1 ACCEPTED SOLUTION

Accepted Solutions
Super Bronze

DNS doctoring / rewrite / hairpinning not working

Hi,

So seems that you have a software that still uses the older NAT format since you are running 8.2 (big change from 8.3 onwards)

I am kind of wondering if this will work since usually people are asking a solution for similiar case but there the requirement is that the Internal hosts can contact the server using the public IP address.

If I were to presume the following starting information for these configurations

  • Interfaces named "inside" and "outside"
  • Public IP 1.1.1.1 Local IP 192.168.10.10
  • Existing Dynamic PAT configuration for the network 192.168.10.0/24 using ID 1 and PAT IP address is the "outside" interface IP address

Then the current configuration (part of it) might be this

global (outside) 1 interface

nat (inside) 1 192.168.10.0 255.255.255.0

static (inside,outside) 1.1.1.1 192.168.10.10 netmask 255.255.255.255

I would then probably try to add the following

global (inside) 1 interface

static (inside,inside) 1.1.1.1 192.168.10.10 netmask 255.255.255.255

And make sure the following setting is enabled on the ASA

same-security-traffic permit intra-interface

- Jouni

4 REPLIES
Super Bronze

DNS doctoring / rewrite / hairpinning not working

Hi,

I am not quite why the server needs to contact itself through the public IP address? Why wont it just use the local IP address or I wonder if the 127.0.0.1 loopback would work also?

Naturally you can configure a NAT configuration to enable this to work (or try atleast) but for that I would need to know the current software version of the ASA or see the NAT configurations currently on the firewall

- Jouni

New Member

DNS doctoring / rewrite / hairpinning not working

I dont know either, i'm also trying to follow up on that too!!

Cisco Adaptive Security Appliance Software Version 8.2(4)

Device Manager Version 6.2(1)

theres no real complex NAT stuff going on, the box is not the default gateway of most devices here, it just does NAT for some web servers and hosts a few vpns.

Super Bronze

DNS doctoring / rewrite / hairpinning not working

Hi,

So seems that you have a software that still uses the older NAT format since you are running 8.2 (big change from 8.3 onwards)

I am kind of wondering if this will work since usually people are asking a solution for similiar case but there the requirement is that the Internal hosts can contact the server using the public IP address.

If I were to presume the following starting information for these configurations

  • Interfaces named "inside" and "outside"
  • Public IP 1.1.1.1 Local IP 192.168.10.10
  • Existing Dynamic PAT configuration for the network 192.168.10.0/24 using ID 1 and PAT IP address is the "outside" interface IP address

Then the current configuration (part of it) might be this

global (outside) 1 interface

nat (inside) 1 192.168.10.0 255.255.255.0

static (inside,outside) 1.1.1.1 192.168.10.10 netmask 255.255.255.255

I would then probably try to add the following

global (inside) 1 interface

static (inside,inside) 1.1.1.1 192.168.10.10 netmask 255.255.255.255

And make sure the following setting is enabled on the ASA

same-security-traffic permit intra-interface

- Jouni

New Member

DNS doctoring / rewrite / hairpinning not working

I am not sure if there is a requirement for this, as exchange is working..

in fact i am not going to bother even trying because i have been told we are updating exchange in the next few weeks.

thanks for your help though! :-)

180
Views
0
Helpful
4
Replies
CreatePlease to create content