outside: 1.1.1.1/24
inside: 10.10.10.0/24
webdmz: 10.10.32.0/24
Inside 10.10.10.0 subnet, we have a cisco router, which external ip is
10.10.10.254 and internal ip 10.192.168.1.2. So, 192.168.1.0 is natted to
10.10.10.254 before leaving the router. On the router, we allow 192.168.1.0
access anywhere besides 10.0.0.0/8. So, for a guest 192.168.1.100 to reach
1.1.1.2 (Citrix public IP), he will be patted to 10.10.10.254; when the
packet reach ASA, how does the packet be processed to reach 1.1.1.2? Will it
be routed out of ASA outside interface? 1.1.1.2 is just a kind of virtual IP
configured on ASA.
Thanks!
On Mon, Feb 28, 2011 at 3:01 PM, Ryan West <rwest_at_zyedge.com> wrote:
> Could you sanitize your interface names and IPs to help clarify? If you
> want to expose the external address of your citrix farm to another
interface
> on the ASA, it would be treated as if it were an inside to outside 1:1, but
> would reference the other interface in the connection. I know that
probably
> doesn�t read well, but let�s say you have another interface called guest.
> Then it would be:
>
>
>
> Static (webdmz,guest) 1.1.1.2 10.10.32.25
>
>
>
> And based on your email below, you probably would not need to adjust the
> ACL from the �guest� interface.
>
>
>
> -ryan
>
>
>
> *From:* Ye Tian [mailto:emaomi_at_gmail.com]
> *Sent:* Monday, February 28, 2011 5:54 PM
> *To:* Ryan West
> *Cc:* ccielab_at_groupstudy.com
> *Subject:* Re: ASA "Hairpin" issue
>
>
>
> Thanks for your response, Ryan!
>
>
>
> I will make this case more clear.
>
> First, this Citrix farm is for Public access only, so, the traffic from
> webdmz only allow go to Internet;
>
> Second, we want to treat the Guest subnet 192.168.1.0 just like a subnet at
> Internet. They are not allowed to touch subnet inside, only allow their
> traffic be natted to Internet. So the traffic flow likes:
>
>
>
> 192.168.1.100 --->(pat) 1.1.1.1--->1.1.1.2--->(1-to-1nat) 10.10.32.25, then
> return back.
>
>
>
> On Mon, Feb 28, 2011 at 2:42 PM, Ryan West <rwest_at_zyedge.com> wrote:
>
> Ye,
>
> You need a translation for the traffic going from webdmz to inside, as the
> traffic comes back, it's NAT'ing to the PAT address. Try this:
>
> Static (inside,webdmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
>
> -ryan
>
>
> -----Original Message-----
> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of Ye
> Tian
> Sent: Monday, February 28, 2011 5:34 PM
> To: ccielab_at_groupstudy.com
> Subject: ASA "Hairpin" issue
>
> Hello Group,
>
>
> We have a guest subnet 192.168.1.0/24 located inside of ASA. This subnet
> is only allowed to access Internet, which will pat on the ASA outside
> interface 1.1.1.1 (public IP). We have a Citrix farm for accessing from
> public, which is using 1-to-1 nat on the ASA (static (webdmz, outside)
> 1.1.1.2 10.10.32.25 netmask 255.255.255.255 with https only ACL.
>
>
>
> The 192.168.1.0/24 cannot access 10.10.32.25. We were told the only way to
> make it work is to change the public IP of 1-to-1 nat to a different
subnet.
>
>
>
> Could somebody help me to understand it?
>
>
> Thanks a lot!
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
Received on Mon Feb 28 2011 - 15:51:10 ART