I'm trying to allow a DMZ host (a web proxy to be exact) to hit websites hosted in our DMZ using their public addresses (our guys don't want to have to do anything fancy with DNS ). I believe this is called ip hairpinning? I've created inside,inside NATs using the new ASA 9.1 config (see below) and everything is working fine. External hosts can browse these sites from the internet using the public address and DMZ hosts can browse these sites using either the public or private addresses.
The only problem I have is I get a bit of a scary error message when I configure the NAT. The error is suggesting (as far as I can see) that ALL traffic from the target private address is to the DMZ interface of the ASA is being directed to the source address of the web proxy. However, I may have the wrong end of the stick as far as the error message goes. Either way everything appears to be working fine. I've got this running in a test environment and have encountered no issues.
I'm just a wee bit concerned by the error and wondered whether anyone else had encountered this. I'm hoping it's just a "be careful what you're doing here" sort of error without necessarily indicating that something is wrong. Although that's not really how it reads. Also, it may be that there is a more efficient NAT that doesn't produce this error. I'd very much appreciate any help or advice.
Object statements, NAT statements and error message below...
It works like a charm. No error messages any more. Thanks again for your help. I must be due you a beer by now.
One thing that nearly tripped me up was that I had my inside,inside NAT below the outside,inside NAT in my config. This resulted in the traffic being sent out to the internet. Something to be mindful of
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :