Cisco ASA 5505, 8.4.3
- LAN: 10.0.15.0, Security Level 100
- WIRELESS: 10.0.17.0, Security Level 75
- WAN: Security Level 0
From the WIRELESS interface I need to access servers on the LAN. The problem is WIRELESS traffic heads out on WAN1 and does not make it back in to LAN. To solve this problem on the LAN I simply created DNS entries for the servers to point to LAN IPs. This is not possible on the WIRELESS interface because it uses external DNS servers. I'd like for the WIRELESS interface to use external IPs then pass back through the firewall.
What additional information must I post to help find a solution to this problem?
Best Answer
Not to be pedantic but going from WIRELESS to LAN is not a hairpin as the traffic travels from one interface to another. A hairpin would be from WIRELESS to WIRELESS or from LAN to LAN -- an altogether more challenging problem than what you have requested.
However, to pass traffic from WIRELESS to LAN:
security-level 75
to LAN'ssecurity-level 100
ensure that you have an ACL permitting traffic from the real source IP's on WIRELESS to the real IP's on LAN. Regardless of NAT, real IP's are used in ASA 8.3+.any
keyword for the mapped interface the Object NAT of the server (behind the LAN interface) itself.Example:
Be very careful using the
any
keyword in Object NAT. Especially with dynamic PAT and dynamic NAT. Read the ASA 8.4 Configuration Guide NAT Section