No announcement yet.

Allow ASA to route to own external ip addresses

  • Filter
  • Time
  • Show
Clear All
new posts

  • Allow ASA to route to own external ip addresses

    Ok, ignore the naff subject! Here is more detail:

    We have an internal wifi network which uses an external DNS server (OpenDNS for web filtering purposes). When a user wants to access an internal server (such as Exchange for OWA) the external DNS server resolves the address to the server's external IP address. The ASA doesn't like this.

    So is there a way to allow / force / fudge the ASA to permit this? Basically the user is going out in IP address 123.456.789.1 (ASA NAT address for network out traffic) and the IP address they are trying to get to is 123.456.789.2 (the external NAT IP address of the OWA server for example).

    Hope this makes sense to someone! Lol
    Server 2000 MCP
    Development: ASP, ASP.Net, PHP, VB, VB.Net, MySQL, MSSQL - Check out my blog

    ** Remember to give credit where credit is due and leave reputation points sigpic where appropriate **

  • #2
    Re: Allow ASA to route to own external ip addresses

    The ASA doesnt allow "hair pinning" by default. Since the server resolves to a public ip addresses when a user inside attempts to open a http session the flow goes from the inside and a connection is built to the outside. The problem comes in because the public ip resolves to an internal host and it tries to come back to the inside interface and the packet is dropped.

    Change the static nat statement for the OWA server and add the dns keyword to the end of the static. (DNS Doctoring)

    Now the asa will rewrite the a record for said server and redirect them to the internal host

    static (inside,outside) x.x.x.x y.y.y.y "internal ip address" netmask x.x.x.x dns

    This static assumes ASA pre 8.3.
    Last edited by auglan; 22nd February 2012, 15:47.
    CCNA, CCNA-Security, CCNP
    CCIE Security (In Progress)


    • #3
      Re: Allow ASA to route to own external ip addresses

      As a workaround, you could setup a standalone DNS server with the internal zone with the necessary records and then forward the rest of the queries to OpenDNS.

      Network Consultant/Engineer
      Baltimore - Washington area and beyond