My gateway is asa 5510 version 7.2(4) with ip 192.168.10.254. In my network there is a router 192.168.10.253 which is connected to other networks 192.168.2.0 and 192.168.3.0. There is a static route configured on my asa to direct traffic bound for 192.168.2.0 and 192.168.3.0 to pt to 192.168.10.253. However from my pc i could not access the 2 networks 192.168.2.0 and 192.168.3.0. I thought hairpinning is supported on asa which allows same security traffic in and out the same interface. I added the command "same-security-traffic permit intra-interface" but it doesnt work. Must i also add "global (inside) 1 interface" command?
I also understand that there are admin who does dns rewrite or hairpinning to allow their dns clients to be able to access internal servers using public ip. Which method is better such that there is less overheads in terms of network traffic.
Typically, you do need the global statement if firewall is your default gateway and you are accessing other networks behind the router. This will ensure that firewall is seeing all the traffic and will not block any of the TCP traffic.
The DNS re-write option may not apply over here as we are looking at accessing a different network altogether. DNS rewrite is used when you have a server on the inside network (same as your clients) and you are trying to access that server using its public IP.
In this scenario, the best solution would be to make your router the default gateway for 192.168.10.0 network and make firewall the default gateway for the router. This will ensure that the router will route 192.168.2.0/3.0 subnets to corresponding interfaces and rest of the traffic to the firewall. This is the easiest and efficient solution as this will not burden your firewall of unnecessary NAT translations and also will not affect your traffic negatively.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...