Re: ASA "Hairpin" issue

Thanks for your response, Ryan!

I will make this case more clear.
First, this Citrix farm is for Public access only, so, the traffic from
webdmz only allow go to Internet;
Second, we want to treat the Guest subnet 192.168.1.0 just like a subnet at
Internet. They are not allowed to touch subnet inside, only allow their
traffic be natted to Internet. So the traffic flow likes:

192.168.1.100 --->(pat) 1.1.1.1--->1.1.1.2--->(1-to-1nat) 10.10.32.25, then
return back.

On Mon, Feb 28, 2011 at 2:42 PM, Ryan West <rwest_at_zyedge.com> wrote:

> Ye,
>
> You need a translation for the traffic going from webdmz to inside, as the
> traffic comes back, it's NAT'ing to the PAT address. Try this:
>
> Static (inside,webdmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
>
> -ryan
>
> -----Original Message-----
> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of Ye
> Tian
> Sent: Monday, February 28, 2011 5:34 PM
> To: ccielab_at_groupstudy.com
> Subject: ASA "Hairpin" issue
>
> Hello Group,
>
>
> We have a guest subnet 192.168.1.0/24 located inside of ASA. This subnet
> is only allowed to access Internet, which will pat on the ASA outside
> interface 1.1.1.1 (public IP). We have a Citrix farm for accessing from
> public, which is using 1-to-1 nat on the ASA (static (webdmz, outside)
> 1.1.1.2 10.10.32.25 netmask 255.255.255.255 with https only ACL.
>
>
>
> The 192.168.1.0/24 cannot access 10.10.32.25. We were told the only way to
> make it work is to change the public IP of 1-to-1 nat to a different subnet.
>
>
>
> Could somebody help me to understand it?
>
>
> Thanks a lot!
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Mon Feb 28 2011 - 14:53:58 ART