Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

inside,inside NAT on ASA 9.1

Hello,

I'm trying to allow a DMZ host (a web proxy to be exact) to hit websites hosted in our DMZ using their public addresses (our guys don't want to have to do anything fancy with DNS ). I believe this is called ip hairpinning? I've created inside,inside NATs using the new ASA 9.1 config (see below) and everything is working fine. External hosts can browse these sites from the internet using the public address and DMZ hosts can browse these sites using either the public or private addresses.

The only problem I have is I get a bit of a scary error message when I configure the NAT. The error is suggesting (as far as I can see) that ALL traffic from the target private address is to the DMZ interface of the ASA is being directed to the source address of the web proxy. However, I may have the wrong end of the stick as far as the error message goes. Either way everything appears to be working fine. I've got this running in a test environment and have encountered no issues.

I'm just a wee bit concerned by the error and wondered whether anyone else had encountered this. I'm hoping it's just a "be careful what you're doing here" sort of error without necessarily indicating that something is wrong. Although that's not really how it reads. Also, it may be that there is a more efficient NAT that doesn't produce this error. I'd very much appreciate any help or advice.

Object statements, NAT statements and error message below...

object network WEBSITE-PRIVATE

host 10.1.1.33

object network WEBSITE-PUBLIC

host 123.123.123.123

nat (DMZ,DMZ) 15 source static any interface destination static WEBSITE-PUBLIC WEBSITE-PRIVATE unidirectional

WARNING: All traffic destined to the IP address of the DMZ interface is being redirected.

WARNING: Users may not be able to access any service enabled on the DMZ interface.

Cheers,

Tormod

Everyone's tags (3)
1 ACCEPTED SOLUTION

Accepted Solutions
Super Bronze

inside,inside NAT on ASA 9.1

Hi,

I would suggest trying out only a slightly different format of the command

I am not quite sure do you have only a single subnet on the "DMZ"? Something like 10.1.1.0/24?

Then you could try defining the subnet in the "nat" command. Or perhaps on the Proxy server alone.

You could also change the "source static" to "source dynamic"

object network DMZ

subnet 10.1.1.0 255.255.255.0

nat (DMZ,DMZ) 15 source dynamic DMZ interface destination static WEBSITE-PUBLIC WEBSITE-PRIVATE

Typically when we want to PAT some traffic between interfaces (though we are doing it between the same interface) and have multiple source address then we would use "dynamic" instead of "static".

I think the fact that you are using the "static" in this case is causing the ERROR messages.

Hope this helps

Please remember to mark a reply as the correct answer if it answered your question.

Feel free to ask more if needed

- Jouni

2 REPLIES
Super Bronze

inside,inside NAT on ASA 9.1

Hi,

I would suggest trying out only a slightly different format of the command

I am not quite sure do you have only a single subnet on the "DMZ"? Something like 10.1.1.0/24?

Then you could try defining the subnet in the "nat" command. Or perhaps on the Proxy server alone.

You could also change the "source static" to "source dynamic"

object network DMZ

subnet 10.1.1.0 255.255.255.0

nat (DMZ,DMZ) 15 source dynamic DMZ interface destination static WEBSITE-PUBLIC WEBSITE-PRIVATE

Typically when we want to PAT some traffic between interfaces (though we are doing it between the same interface) and have multiple source address then we would use "dynamic" instead of "static".

I think the fact that you are using the "static" in this case is causing the ERROR messages.

Hope this helps

Please remember to mark a reply as the correct answer if it answered your question.

Feel free to ask more if needed

- Jouni

New Member

inside,inside NAT on ASA 9.1

Fantastic!

It works like a charm. No error messages any more. Thanks again for your help. I must be due you a beer by now.

One  thing that nearly tripped me up was that I had my inside,inside NAT  below the outside,inside NAT in my config. This resulted in the traffic  being sent out to the internet. Something to be mindful of

771
Views
0
Helpful
2
Replies
CreatePlease to create content