Solved: ASA 5512X - Connectivity between interfaces via the OUTSIDE interface

richard.quick1 · ‎09-19-2017

Hi,

I have an ASA5512X and experiencing an issue with connectivity.

Basic network layout is -

Inside-Gi0/1

- - - Mail Server A (local IP 192.1.1.1)

| Public IP 1.1.1.1

|

OUTSDE - - - ASA 5512X - - ⊣

|

| Inside-Gi0/5

- - - Mail Server B (local IP 10.0.1.1)

Pubic IP 1.1.1.2

We have 2 systems connected to separate interfaces and networks, if one system tries to send an email to another it fails to send. They are resolving the correct public IP address for the server but nothing is getting through.

If we ping mail.fqdn it resolves to the correct IP 1.1.1.1

When we try to telnet to port 25 from Mail Server B we get the following

[root@ms1 ~]# telnet mail.fqdn 25

Trying 1.1.1.1…

It appears traffic can not pass out from interface Gi0/5 to the internet and come back in on interface Gi0/1.

Does anyone have any explanation why this could be happening?

Thank you in advance

konstantinoschiotakis · ‎09-19-2017

Hi Richard,

It seems that you will need to set up U-NAT (Hairpinning) to make it work. This is happening because the ASA doesn't know how to forward the traffic back.

To do that you will need to create a NAT rule:

Original Packet:
Source Interface: Inside Gi0/5
Destination Interface: Outside
Source Address: 10.0.1.1
Destination Address: 1.1.1.1
Service: 25

Translated Packet:
Source Address: Inside G0/1
Destination Address: 192.1.1.1
Service: Original

Another solution is to have a local DNS server, or edit host file of the mail server to resolve the public IP to the internal one.

HTH

View solution in original post

niko · ‎09-19-2017

Looks like a hairpin issue: https://supportforums.cisco.com/t5/security-documents/hairpin-u-turn-traffic-off-an-interface-on-an-asa-running-8-3-or/ta-p/3129668

If possible - point FQDN of the Mail Server B to the inside address of the Mail Server A, so traffic does not have to make these turns.

richard.quick1 · ‎09-19-2017

Thanks for your response, I will read the linked information to see if this helps me.

Traffic can not go between Mail Server A and Mail Server B directly as the interfaces need to be kept separate.

konstantinoschiotakis · ‎09-19-2017

Hi Richard,

It seems that you will need to set up U-NAT (Hairpinning) to make it work. This is happening because the ASA doesn't know how to forward the traffic back.

To do that you will need to create a NAT rule:

Original Packet:
Source Interface: Inside Gi0/5
Destination Interface: Outside
Source Address: 10.0.1.1
Destination Address: 1.1.1.1
Service: 25

Translated Packet:
Source Address: Inside G0/1
Destination Address: 192.1.1.1
Service: Original

Another solution is to have a local DNS server, or edit host file of the mail server to resolve the public IP to the internal one.

HTH

richard.quick1 · ‎09-19-2017

Hi,

Would 'normal' smtp traffic leave as normal or would this stop smtp traffic from going the the outside for other mail servers?

Thanks

konstantinoschiotakis · ‎09-19-2017

Hi,

This NAT rule will only trigger when traffic will originate from 10.0.1.1 with the destination of 1.1.1.1 inbound on the Inside Gi0/5. Normal traffic (not destined to 1.1.1.1) will leave through the outside interface.

HTH