NAT/Route help

Andy White · ‎12-09-2009

Hello,

We have some wireless devices our warehouse use on our wireless network there (VLAN on our internal Corp LAN) or via GPRS, GPRS works fine as the custom built software points to an external IP (172.26.1.2) that points to our ASA 5520 and NAT's to an internal IP or a server (IIS web server).

I been asked if it's possible for the wireless internal network to also use this external IP? So if the device is on the corperate wireless network and wants to get to this external IP then it doesn't go outbound and back in again, but merely NAT's/routers to the internal address?

Possible?

Panos Kampanakis · ‎12-14-2009

So what you want to do is to hairpin the traffic on the inside of the ASA. Inside people will use external ip and hit the inside and the ASA will need to untranslate to the local inside ip and send it back inside.

Well this can be done, but it might have some complications.

You can have the ASA do

static (inside,inside) external_ip internal_ip.

But what is going to happen to the return traffic. When the internal ip responds, is the return traffic going to hit the ASA. If yes, then this could work.

If not then there might be asymmetric routing and you would need state bypass on the ASA so it won't drop packets because they do not follow the state information that it sees for that conn.

I hope it helps.

PK