RE: ASA "Hairpin" issue

Could you sanitize your interface names and IPs to help clarify? If you want
to expose the external address of your citrix farm to another interface on the
ASA, it would be treated as if it were an inside to outside 1:1, but would
reference the other interface in the connection. I know that probably doesn't
read well, but let's say you have another interface called guest. Then it
would be:

Static (webdmz,guest) 1.1.1.2 10.10.32.25

And based on your email below, you probably would not need to adjust the ACL
from the 'guest' interface.

-ryan

From: Ye Tian [mailto:emaomi_at_gmail.com]
Sent: Monday, February 28, 2011 5:54 PM
To: Ryan West
Cc: ccielab_at_groupstudy.com
Subject: Re: ASA "Hairpin" issue

Thanks for your response, Ryan!

I will make this case more clear.
First, this Citrix farm is for Public access only, so, the traffic from webdmz
only allow go to Internet;
Second, we want to treat the Guest subnet 192.168.1.0 just like a subnet at
Internet. They are not allowed to touch subnet inside, only allow their
traffic be natted to Internet. So the traffic flow likes:

192.168.1.100 --->(pat) 1.1.1.1--->1.1.1.2--->(1-to-1nat) 10.10.32.25, then
return back.

On Mon, Feb 28, 2011 at 2:42 PM, Ryan West
<rwest_at_zyedge.com<mailto:rwest_at_zyedge.com>> wrote:
Ye,

You need a translation for the traffic going from webdmz to inside, as the
traffic comes back, it's NAT'ing to the PAT address. Try this:

Static (inside,webdmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

-ryan

-----Original Message-----
From: nobody_at_groupstudy.com<mailto:nobody_at_groupstudy.com>
[mailto:nobody_at_groupstudy.com<mailto:nobody_at_groupstudy.com>] On Behalf Of Ye
Tian
Sent: Monday, February 28, 2011 5:34 PM
To: ccielab_at_groupstudy.com<mailto:ccielab_at_groupstudy.com>
Subject: ASA "Hairpin" issue

Hello Group,

We have a guest subnet 192.168.1.0/24<http://192.168.1.0/24> located inside of
ASA. This subnet is only allowed to access Internet, which will pat on the ASA
outside interface 1.1.1.1 (public IP). We have a Citrix farm for accessing
from public, which is using 1-to-1 nat on the ASA (static (webdmz, outside)
1.1.1.2 10.10.32.25 netmask 255.255.255.255 with https only ACL.

The 192.168.1.0/24<http://192.168.1.0/24> cannot access 10.10.32.25. We were
told the only way to make it work is to change the public IP of 1-to-1 nat to
a different subnet.

Could somebody help me to understand it?

Thanks a lot!

Blogs and organic groups at http://www.ccie.net
Received on Mon Feb 28 2011 - 23:01:56 ART