Hairpinning - its doing my head in. (route inside to inside)
Guys,
I really need help.
The current setup is everything goes through 3.1 all traffic including internet the ADSL router of 32.4.7.8 is only for internet as the internet through the MPLS is extremely slow.
I'm trying to do hairpinning on the inside interface to the inside of my ASA.
For the host to reach the 4.0 subnet then need to be pushed out router 3.1 and for anything else the traffic needs to be pushed out 3.10.
What I've done is set up ONE workstation to a default gateway of 3.10 and I've made the ASA do all the routing. It has two routs in there, 1: "route inside 192.168.4.0 255.255.255.0 192.168.3.1 1" 2: "route outside 0.0.0.0 0.0.0.0 32.4.7.9 5" I also have a nat command which nats any traffic going on the outside which is nat (inside) 1 192.168.3.0 255.255.255.0, global (outside) 1 interface. Going to the 4.0 is a MPLS line therefore are private address.
The ASA has the following commands for hairpinning.
same-security-traffic permit intra-interface
nat (inside) 1 192.168.3.0 255.255.255.0
global (outside) 1 interface
static (inside,inside) 192.168.3.0 192.168.3.0 netmask 255.255.255.0
static (inside,inside) 192.168.4.0 192.168.4.0 netmask 255.255.255.0
Now...
What happens is when I inserted the two static cmds (regardless of the working stations being configured) from above the DHCP goes mad and the inside hosts can't get out to the MPLS and in DHCP Server I get BAD ADDRESS. As soon as these two static are removed everything is fine. I have these two in there because any traffic which is sent back to the inside should not be natted and should say from the address of where is came from and only the destination (default gateway) address should change i.e. 3.1.
Any suggestions???
Network Diagram
Uploaded with ImageShack.us
I really need help.
The current setup is everything goes through 3.1 all traffic including internet the ADSL router of 32.4.7.8 is only for internet as the internet through the MPLS is extremely slow.
I'm trying to do hairpinning on the inside interface to the inside of my ASA.
For the host to reach the 4.0 subnet then need to be pushed out router 3.1 and for anything else the traffic needs to be pushed out 3.10.
What I've done is set up ONE workstation to a default gateway of 3.10 and I've made the ASA do all the routing. It has two routs in there, 1: "route inside 192.168.4.0 255.255.255.0 192.168.3.1 1" 2: "route outside 0.0.0.0 0.0.0.0 32.4.7.9 5" I also have a nat command which nats any traffic going on the outside which is nat (inside) 1 192.168.3.0 255.255.255.0, global (outside) 1 interface. Going to the 4.0 is a MPLS line therefore are private address.
The ASA has the following commands for hairpinning.
same-security-traffic permit intra-interface
nat (inside) 1 192.168.3.0 255.255.255.0
global (outside) 1 interface
static (inside,inside) 192.168.3.0 192.168.3.0 netmask 255.255.255.0
static (inside,inside) 192.168.4.0 192.168.4.0 netmask 255.255.255.0
Now...
What happens is when I inserted the two static cmds (regardless of the working stations being configured) from above the DHCP goes mad and the inside hosts can't get out to the MPLS and in DHCP Server I get BAD ADDRESS. As soon as these two static are removed everything is fine. I have these two in there because any traffic which is sent back to the inside should not be natted and should say from the address of where is came from and only the destination (default gateway) address should change i.e. 3.1.
Any suggestions???
Network Diagram
Uploaded with ImageShack.us
Comments
-
unclerico
Member Posts: 237 ■■■■□□□□□□
The route lookup happens before NAT in the order of operations. Since you are going from inside to inside no NAT configuration is needed, just the same-security-traffic permit intra-interface is.Preparing for CCIE Written -
tim100
Member Posts: 162
The route lookup happens before NAT in the order of operations. Since you are going from inside to inside no NAT configuration is needed, just the same-security-traffic permit intra-interface is.
NAT configuration is needed for the outgoing interface once "nat (inside)" has been configured. Either NAT exemption, identity NAT or a "global (inside)" command is needed. The inside interface is still the outgoing interface. -
tim100
Member Posts: 162
static (inside,inside) 192.168.3.0 192.168.3.0 netmask 255.255.255.0
static (inside,inside) 192.168.4.0 192.168.4.0 netmask 255.255.255.0
Now...
As soon as these two static are removed everything is fine. I have these two in there because any traffic which is sent back to the inside should not be natted and should say from the address of where is came from and only the destination (default gateway) address should change i.e. 3.1.
Any suggestions???
Remove the static commands altogether and add:
access-list no-nat extended permit ip 192.168.3.0 255.255.255.0 192.168.4.0 255.255.255.0
nat (inside) 0 access-list no-nat -
lon21
Member Posts: 201
Thanks guys,
no proxyarp resolved the issue.
Also using the state bypass feature.
Thank You. -
lon21
Member Posts: 201
OK, guys for some reason this did not work.
After a few days the network went down, DHCP leased out all its address, and even when we freed some up the network was still down.
Any ideas? -
creamy_stew
Member Posts: 406 ■■■□□□□□□□
How many hosts does does your ASA license allow? 10, 50 or unlimited?
-
lon21
Member Posts: 201
creamy_stew wrote: »How many hosts does does your ASA license allow? 10, 50 or unlimited?
I have only one host which uses the asa as its default gateway, but the tcp performs bypass which could see every packet.
Could this be a problem? -
Bl8ckr0uter
Inactive Imported Users Posts: 5,031 ■■■■■■■■□□
OK, guys for some reason this did not work.
After a few days the network went down, DHCP leased out all its address, and even when we freed some up the network was still down.
Any ideas?
Post your latest config and tell us what ASA version are you using?
