1. Home
  2. Cisco Systems
  3. out and back in

out and back in

I've seen this work on other ASAs that I don't administer so I know it can be done, but haven't been able to figure it out on my own network. Connecting to inside hosts from other inside hosts by using those hosts' static public IPs.

For example:

static (inside,outside) 123.123.123.1 172.16.10.1 netmask 255.255.255.255 static (inside,outside) 123.123.123.2 172.16.10.2 netmask 255.255.255.255

Connecting from host1 (172.16.10.1) to 123.123.123.2 doesn't work, but I would like it to connect to hosts2 at 172.16.10.2

I would like to do this so I don't have to add a bunch of entries into the hosts file or set up my own DNS just to manage those zones.

Thanks, Paul

Reply to
P1
Loading thread data ...

Google DNS doctoring.

formatting link

Reply to
Artie Lange

formatting link

However you still need an internal DNS server.

Reply to
Artie Lange

formatting link

Good document, thanks! I think the solution I was looking for is in the same doc, but presented as - Alternative Solution: Destination NAT I will try this out.

Btw, the first solution (DNS Doctoring) does not require an internal DNS server. The exact purpose of this solution is for situation where there isn't one. If there was one, the zones can be altered internally.

Reply to
P1

You are correct. Sorry for the mis-information.

Reply to
Artie Lange

formatting link

For the benefit of future searchers...

The Destination NAT solution works fine between subnets (I have multiple DMZs). For the same result within the same subnet, however, another solution must be used. It's called Hairpinning and is described here:

formatting link
sure to read the caution caveat described at the top of the section before implementing this solution. This will basically allow you to connect to the public IPs of hosts on the same subnet as you.

Reply to
P1

formatting link

Hairpinning will only work with OS version 7.X.

formatting link
same-security-traffic permit intra-interface

Reply to
Artie Lange

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.