Hi all I’m having a problem getting hairpin nat to work on my ASA5524X Code 8.6
I have some services sitting in DMZ_943 these are https services and are accessible from outside the network on a public ip address x.x.x.155 all works fine.
We have a set of guest internet access clients sitting in another DMZ_942 and can access the internet fine, however when these clients need to access the HTTPS server on the public address x.x.x.155 it fails.
Both DMZ are connected to the same ASA
Does anyone know what the correct HAIRPIN NAT statement would be for this?
You wouldnt be doing Hairpin NAT as the hosts are behind different interfaces. Hairpin NAT would be when both hosts were behind the same interface.
To me it would seem that you simply need to NAT the DMZ_943 server towards the DMZ_942 interface with the public IP address.
Naturally what you have to take into consideration is that if you have some hosts on the DMZ_942 that HAVE TO HAVE access to the server with its real IP address then the above NAT configuration suggestion wouldnt work. In that case you might have to resort to a Static Policy NAT configuration in the new software NAT format.
If you are configuring the Static NAT for the DMZ server with a simple Network Object NAT like below then it would be easy to do it for the other interfaces too
Static NAT for DMZ -> WAN
object network SERVER
nat (DMZ_943,outside) static x.x.x.115
Static NAT for DMZ -> DMZ
object network SERVER-TO-DMZ_942
nat (DMZ_943,DMZ_942) static x.x.x.115
I am not sure how big your current configuration is but probably the easiest way to determine the correct NAT configuration for you would be to see the current configuration
All the clients will need to access the server via it's public URL and IP this is because it's tied in with the SSL certificate and chain.
I assumed I would need hairpin NAT because the connections are going out to the internet resolving for DNS and then returning back in the same interface (outside) thus requiring the command same-security-traffic permit intra-interface, and a matching U-turn NAT statement?
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...