Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Public-Public connection w/hairpinning

I have an ASA on 8.04, and have set up hairpinning to allow internal desktops to access a pair of servers via their public addresses. Config snippet below - essentially as per the CCO DNS doctoring document except for the second server. Desktop-server communication is working, but the servers also need to run FTP between them. This is not working.

My knowledge of the internal processes of the ASA is highly imperfect, but it seems to me there might be problems with getting all the needed translations, connection table entries etc, built correctlyin this context, particularly for TCP, since the ASA validates the handshake. My main question is, is communication between a pair of public addresses supported via hairpinning, and, if so, what config mods are necessary to support it?

Thanks.

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

global (Outside) 10 interface

global (Inside) 10 interface

nat (Inside) 0 access-list Inside_nat0_outbound

nat (Inside) 10 0.0.0.0 0.0.0.0

static (Inside,Inside) x.y.z.196 192.168.10.6 netmask 255.255.255.255

static (Inside,Inside) x.y.z.197 192.168.10.7 netmask 255.255.255.255

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns migrated_dns_map_1

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns migrated_dns_map_1

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

1 REPLY
New Member

Re: Public-Public connection w/hairpinning

I entered this topic in the VPN category by mistake - I have re-posted in the security/firewalling section. Please ignore. Sorry for cinfusion

116
Views
0
Helpful
1
Replies