RE: ASA "Hairpin" issue

The second example I gave should do the trick. It won't pass through the
outside though, so you may need to put restrictions to only allow HTTPS from
the 10.10.10.254 PAT to that server. The translation is between webdmz and
the inside only, but presented as an external address.

-ryan

From: Ye Tian [mailto:emaomi_at_gmail.com]
Sent: Monday, February 28, 2011 6:51 PM
To: Ryan West
Cc: ccielab_at_groupstudy.com
Subject: Re: ASA "Hairpin" issue

outside: 1.1.1.1/24<http://1.1.1.1/24>
inside: 10.10.10.0/24<http://10.10.10.0/24>
webdmz: 10.10.32.0/24<http://10.10.32.0/24>

Inside 10.10.10.0 subnet, we have a cisco router, which external ip is
10.10.10.254 and internal ip 10.192.168.1.2. So, 192.168.1.0 is natted to
10.10.10.254 before leaving the router. On the router, we allow 192.168.1.0
access anywhere besides 10.0.0.0/8<http://10.0.0.0/8>. So, for a guest
192.168.1.100 to reach 1.1.1.2 (Citrix public IP), he will be patted to
10.10.10.254; when the packet reach ASA, how does the packet be processed to
reach 1.1.1.2? Will it be routed out of ASA outside interface? 1.1.1.2 is just
a kind of virtual IP configured on ASA.

Thanks!

On Mon, Feb 28, 2011 at 3:01 PM, Ryan West
<rwest_at_zyedge.com<mailto:rwest_at_zyedge.com>> wrote:
Could you sanitize your interface names and IPs to help clarify? If you want
to expose the external address of your citrix farm to another interface on the
ASA, it would be treated as if it were an inside to outside 1:1, but would
reference the other interface in the connection. I know that probably doesn't
read well, but let's say you have another interface called guest. Then it
would be:

Static (webdmz,guest) 1.1.1.2 10.10.32.25

And based on your email below, you probably would not need to adjust the ACL
from the 'guest' interface.

-ryan

From: Ye Tian [mailto:emaomi_at_gmail.com<mailto:emaomi_at_gmail.com>]
Sent: Monday, February 28, 2011 5:54 PM
To: Ryan West
Cc: ccielab_at_groupstudy.com<mailto:ccielab_at_groupstudy.com>
Subject: Re: ASA "Hairpin" issue

Thanks for your response, Ryan!

I will make this case more clear.
First, this Citrix farm is for Public access only, so, the traffic from webdmz
only allow go to Internet;
Second, we want to treat the Guest subnet 192.168.1.0 just like a subnet at
Internet. They are not allowed to touch subnet inside, only allow their
traffic be natted to Internet. So the traffic flow likes:

192.168.1.100 --->(pat) 1.1.1.1--->1.1.1.2--->(1-to-1nat) 10.10.32.25, then
return back.

On Mon, Feb 28, 2011 at 2:42 PM, Ryan West
<rwest_at_zyedge.com<mailto:rwest_at_zyedge.com>> wrote:
Ye,

You need a translation for the traffic going from webdmz to inside, as the
traffic comes back, it's NAT'ing to the PAT address. Try this:

Static (inside,webdmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

-ryan

-----Original Message-----
From: nobody_at_groupstudy.com<mailto:nobody_at_groupstudy.com>
[mailto:nobody_at_groupstudy.com<mailto:nobody_at_groupstudy.com>] On Behalf Of Ye
Tian
Sent: Monday, February 28, 2011 5:34 PM
To: ccielab_at_groupstudy.com<mailto:ccielab_at_groupstudy.com>
Subject: ASA "Hairpin" issue

Hello Group,

We have a guest subnet 192.168.1.0/24<http://192.168.1.0/24> located inside of
ASA. This subnet is only allowed to access Internet, which will pat on the ASA
outside interface 1.1.1.1 (public IP). We have a Citrix farm for accessing
from public, which is using 1-to-1 nat on the ASA (static (webdmz, outside)
1.1.1.2 10.10.32.25 netmask 255.255.255.255 with https only ACL.

The 192.168.1.0/24<http://192.168.1.0/24> cannot access 10.10.32.25. We were
told the only way to make it work is to change the public IP of 1-to-1 nat to
a different subnet.

Could somebody help me to understand it?

Thanks a lot!
Blogs and organic groups at http://www.ccie.net
Received on Tue Mar 01 2011 - 00:00:17 ART