Re: [c-nsp] NAT and hairpin's
So what happened to the CPU of the ASA when the PC and server started sending 100Mbt of data to each other? Or was one of them running 10BaseT, half-duplex? Ted -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Fawcett Simon Sent: Thursday, July 17, 2008 3:40 AM To: Geyer, Nick; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] NAT and hairpin's I have done this on an ASA running 7.2 code. It definitely works What happened was the inside sever was say 10.0.0.1 with an outside address 1.1.1.1 all client traffic by default was natted to a hide address 2.2.2.2. My pc therefore Was 10.0.0.2 heading for 1.1.1.1. I was natted by the hide address so my source was 2.2.2.2. The only odd thing about it was that you then needed to permit on the ouside interface inbound traffic from 2.2.2.2 going to 1.1.1.1 and everything worked. I hope this makes sense and helps someone God bless the ASA Simon -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Geyer, Nick Sent: 17 July 2008 06:16 To: cisco-nsp@puck.nether.net Subject: [c-nsp] NAT and hairpin's Hi Everyone, Just wondering if anyone has come up with a way to hairpin traffic using a Cisco router? The problem is as follows; Say for example I have a router connecting to the Internet and an internal LAN doing normal NA, e.g; 203.1.2.3 - ROUTER - 192.168.1.0/24 (203.1.2.3 being the public IP on the outside interface) I have an application that talks from clients on the Internet to an internal server (192.168.1.1), with the appropriate static NAT's setup on the router to forward the traffic. The problem is the internal clients also need to talk to the server but on the public IP address (203.1.2.3). The traffic from the internal clients will hit the router but it wont translate and forward the traffic because its coming from the inside interface (and the static NAT only works for requests from the outside interface). I don't believe it can be done but just thought I would ask in case anyone has come up with a weird and wonderful way. Cheers, Nick Geyer. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] NAT and hairpin's
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Marc Archer Sent: Wednesday, July 16, 2008 10:25 PM To: Geyer, Nick Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] NAT and hairpin's Hi Nick, We had the same problem at work and used DNS to get around it. The only solution we found was to have an second internal DNS that would resolv to the internal IP so that both internal and external users could access the server from a common DNS name. IOS nat code will rewrite the DNS query if the DNS server is on the outside and the clients are on the inside, so that the clients get the internal number, not the external number. The only caveat is that you have to statically map an outside IP number to the inside IP number, you can't port forward off an overloaded outside interface and have the DNS magic work. Ted ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] NAT and hairpin's
Just wondering if anyone has come up with a way to hairpin traffic using a Cisco router? The problem is as follows; Sounds just like NAT on a stick: http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080 094430.shtml B. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] NAT and hairpin's
I have done this on an ASA running 7.2 code. It definitely works What happened was the inside sever was say 10.0.0.1 with an outside address 1.1.1.1 all client traffic by default was natted to a hide address 2.2.2.2. My pc therefore Was 10.0.0.2 heading for 1.1.1.1. I was natted by the hide address so my source was 2.2.2.2. The only odd thing about it was that you then needed to permit on the ouside interface inbound traffic from 2.2.2.2 going to 1.1.1.1 and everything worked. I hope this makes sense and helps someone God bless the ASA Simon -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Geyer, Nick Sent: 17 July 2008 06:16 To: cisco-nsp@puck.nether.net Subject: [c-nsp] NAT and hairpin's Hi Everyone, Just wondering if anyone has come up with a way to hairpin traffic using a Cisco router? The problem is as follows; Say for example I have a router connecting to the Internet and an internal LAN doing normal NA, e.g; 203.1.2.3 - ROUTER - 192.168.1.0/24 (203.1.2.3 being the public IP on the outside interface) I have an application that talks from clients on the Internet to an internal server (192.168.1.1), with the appropriate static NAT's setup on the router to forward the traffic. The problem is the internal clients also need to talk to the server but on the public IP address (203.1.2.3). The traffic from the internal clients will hit the router but it wont translate and forward the traffic because its coming from the inside interface (and the static NAT only works for requests from the outside interface). I don't believe it can be done but just thought I would ask in case anyone has come up with a weird and wonderful way. Cheers, Nick Geyer. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] NAT and hairpin's
see: ftp://ftp.rfc-editor.org/in-notes/internet-drafts/draft-ietf-behave-tcp-07.txt and http://tools.ietf.org/html/rfc4787 See section 7.2 in the first. It looks like what you are asking for will be required of all NAT implementations soon for TCP. It is already a BCP and a requirement for UDP. Geyer, Nick wrote: Hi Everyone, Just wondering if anyone has come up with a way to hairpin traffic using a Cisco router? The problem is as follows; Say for example I have a router connecting to the Internet and an internal LAN doing normal NA, e.g; 203.1.2.3 - ROUTER - 192.168.1.0/24 (203.1.2.3 being the public IP on the outside interface) I have an application that talks from clients on the Internet to an internal server (192.168.1.1), with the appropriate static NAT's setup on the router to forward the traffic. The problem is the internal clients also need to talk to the server but on the public IP address (203.1.2.3). The traffic from the internal clients will hit the router but it wont translate and forward the traffic because its coming from the inside interface (and the static NAT only works for requests from the outside interface). I don't believe it can be done but just thought I would ask in case anyone has come up with a weird and wonderful way. Cheers, Nick Geyer. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ No virus found in this incoming message. Checked by AVG - http://www.avg.com Version: 8.0.138 / Virus Database: 270.5.0/1558 - Release Date: 7/17/2008 9:56 AM No virus found in this outgoing message. Checked by AVG - http://www.avg.com Version: 8.0.138 / Virus Database: 270.5.0/1558 - Release Date: 7/17/2008 9:56 AM ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] NAT and hairpin's
We run into this frequently with our public school networks, a couple of things we try to do; 1. Eliminate the hairpin traffic to the router - DNS trickery as already mentioned and/or a second nic in target server - we configure our routers with the public network as a secondary IP on the router, you would still have the hairpin traffic without the aid of DNS trickery. The DNS trickery may be nothing more than a local hosts file on each internal client that the TCP stack would reference before looking to the configured DNS server. This local hosts file would have DNS mapping to the local server pointing to the private address. 2. ALWAYS include ip route-cache same-interface on a router interface that might experience hairpin traffic If the traffic is not terribly significant the route-cache same-interface is usually sufficient, if the traffic is expected to be significant we do everything we can to eliminate the hairpin traffic altogether. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Geyer, Nick Sent: Thursday, July 17, 2008 12:16 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] NAT and hairpin's Hi Everyone, Just wondering if anyone has come up with a way to hairpin traffic using a Cisco router? The problem is as follows; Say for example I have a router connecting to the Internet and an internal LAN doing normal NA, e.g; 203.1.2.3 - ROUTER - 192.168.1.0/24 (203.1.2.3 being the public IP on the outside interface) I have an application that talks from clients on the Internet to an internal server (192.168.1.1), with the appropriate static NAT's setup on the router to forward the traffic. The problem is the internal clients also need to talk to the server but on the public IP address (203.1.2.3). The traffic from the internal clients will hit the router but it wont translate and forward the traffic because its coming from the inside interface (and the static NAT only works for requests from the outside interface). I don't believe it can be done but just thought I would ask in case anyone has come up with a weird and wonderful way. Cheers, Nick Geyer. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] NAT and hairpin's
Hi Everyone, Just wondering if anyone has come up with a way to hairpin traffic using a Cisco router? The problem is as follows; Say for example I have a router connecting to the Internet and an internal LAN doing normal NA, e.g; 203.1.2.3 - ROUTER - 192.168.1.0/24 (203.1.2.3 being the public IP on the outside interface) I have an application that talks from clients on the Internet to an internal server (192.168.1.1), with the appropriate static NAT's setup on the router to forward the traffic. The problem is the internal clients also need to talk to the server but on the public IP address (203.1.2.3). The traffic from the internal clients will hit the router but it wont translate and forward the traffic because its coming from the inside interface (and the static NAT only works for requests from the outside interface). I don't believe it can be done but just thought I would ask in case anyone has come up with a weird and wonderful way. Cheers, Nick Geyer. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] NAT and hairpin's
Hi Nick, We had the same problem at work and used DNS to get around it. The only solution we found was to have an second internal DNS that would resolv to the internal IP so that both internal and external users could access the server from a common DNS name. Marc. 2008/7/17 Geyer, Nick [EMAIL PROTECTED]: Hi Everyone, Just wondering if anyone has come up with a way to hairpin traffic using a Cisco router? The problem is as follows; Say for example I have a router connecting to the Internet and an internal LAN doing normal NA, e.g; 203.1.2.3 - ROUTER - 192.168.1.0/24 (203.1.2.3 being the public IP on the outside interface) I have an application that talks from clients on the Internet to an internal server (192.168.1.1), with the appropriate static NAT's setup on the router to forward the traffic. The problem is the internal clients also need to talk to the server but on the public IP address (203.1.2.3). The traffic from the internal clients will hit the router but it wont translate and forward the traffic because its coming from the inside interface (and the static NAT only works for requests from the outside interface). I don't believe it can be done but just thought I would ask in case anyone has come up with a weird and wonderful way. Cheers, Nick Geyer. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] NAT and hairpin's
This is where dns doctoring on the asa/pix really comes in handy! Split dns is usually the way to go but I had another thought, can you put the public 203 address as an alias on the server and then setup a policy route-map on your lan interface to match packets with a destination of your server and port say something like permit tcp LAN host 203.1.2.3 eq 80 then put a set ip next-hop SERVER LAN IP On 17/07/2008, at 2:46 PM, Geyer, Nick wrote: Hi Everyone, Just wondering if anyone has come up with a way to hairpin traffic using a Cisco router? The problem is as follows; Say for example I have a router connecting to the Internet and an internal LAN doing normal NA, e.g; 203.1.2.3 - ROUTER - 192.168.1.0/24 (203.1.2.3 being the public IP on the outside interface) I have an application that talks from clients on the Internet to an internal server (192.168.1.1), with the appropriate static NAT's setup on the router to forward the traffic. The problem is the internal clients also need to talk to the server but on the public IP address (203.1.2.3). The traffic from the internal clients will hit the router but it wont translate and forward the traffic because its coming from the inside interface (and the static NAT only works for requests from the outside interface). I don't believe it can be done but just thought I would ask in case anyone has come up with a weird and wonderful way. Cheers, Nick Geyer. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] NAT and hairpin's
Hi Marc, That's what I usually do as well. In this scenario though an internal DNS server is not an option as all traffic is by IP address not hostname. Its got me stumped and I know Cisco used to say it was not possible, but am just wondering if there is anything new that could be used/manipulated to do this. Cheers From: Marc Archer [mailto:[EMAIL PROTECTED] Sent: Thursday, 17 July 2008 3:25 PM To: Geyer, Nick Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] NAT and hairpin's Hi Nick, We had the same problem at work and used DNS to get around it. The only solution we found was to have an second internal DNS that would resolv to the internal IP so that both internal and external users could access the server from a common DNS name. Marc. 2008/7/17 Geyer, Nick [EMAIL PROTECTED]: Hi Everyone, Just wondering if anyone has come up with a way to hairpin traffic using a Cisco router? The problem is as follows; Say for example I have a router connecting to the Internet and an internal LAN doing normal NA, e.g; 203.1.2.3 - ROUTER - 192.168.1.0/24 (203.1.2.3 being the public IP on the outside interface) I have an application that talks from clients on the Internet to an internal server (192.168.1.1), with the appropriate static NAT's setup on the router to forward the traffic. The problem is the internal clients also need to talk to the server but on the public IP address (203.1.2.3). The traffic from the internal clients will hit the router but it wont translate and forward the traffic because its coming from the inside interface (and the static NAT only works for requests from the outside interface). I don't believe it can be done but just thought I would ask in case anyone has come up with a weird and wonderful way. Cheers, Nick Geyer. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
