Ye,
You need a translation for the traffic going from webdmz to inside, as the traffic comes back, it's NAT'ing to the PAT address. Try this:
Static (inside,webdmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
-ryan
-----Original Message-----
From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of Ye Tian
Sent: Monday, February 28, 2011 5:34 PM
To: ccielab_at_groupstudy.com
Subject: ASA "Hairpin" issue
Hello Group,
We have a guest subnet 192.168.1.0/24 located inside of ASA. This subnet is only allowed to access Internet, which will pat on the ASA �outside� interface 1.1.1.1 (public IP). We have a Citrix farm for accessing from public, which is using 1-to-1 nat on the ASA (static (webdmz, outside)
1.1.1.2 10.10.32.25 netmask 255.255.255.255 with https only ACL.
The 192.168.1.0/24 cannot access 10.10.32.25. We were told the only way to make it work is to change the public IP of 1-to-1 nat to a different subnet.
Could somebody help me to understand it?
Thanks a lot!
Blogs and organic groups at http://www.ccie.net
Received on Mon Feb 28 2011 - 22:42:32 ART