topic Re: Problem with Hairpinning on ASA 5506-X running ASA 9.16(3) in Network Security

Problem with Hairpinning on ASA 5506-X running ASA 9.16(3)

johanc — Fri, 12 Aug 2022 08:30:06 GMT

Hi!

I have found a helpful guide here in the community to be able to configure haipinning NAT on my ASA, but can't get it to work.

My setup
- one external IP-address assigned to outside: a.b.c.d
- one internal subnet with clients running on 10.0.17.0/24
- one DMZ with one server running on 192.168.17.0/24 (the server is on 192.168.17.3)

My goal
- to be able to connect to the server in the dmz from my clients on the inside using the external IP-address
(I can reach the server from "internet" using the external IP-address so those rules work)

What I have tried
1.
nat (inside,dmz) source static inside-network interface destination static obj-a.b.c.d obj-192.168.17.3 description Hairpin
(where obj-a.b.c.d) is a network object "host a.b.c.d" and so on.)
When trying to run this from CLI i get the following error
Result of the command: "nat (inside,dmz) source static inside-network interface destination static obj-a.b.c.d obj-192.168.17.3 description Hairpin
nat (inside,dmz) source static inside-network interface destination static obj-a ^.b.c.d obj-192.168.17.3 description Hairpin
ERROR: % Invalid input detected at '^' marker.
2.
nat (inside,dmz) source dynamic inside-network interface destination static obj-a.b.c.d obj-192.168.17.3
That gives me the same error...

What am I doing wrong?

Re: Problem with Hairpinning on ASA 5506-X running ASA 9.16(3)

Rob Ingram — Fri, 12 Aug 2022 08:54:34 GMT

@johanc you can configure NAT reflection. Here is an FTD guide, though at the bottom it does have an ASA example - so apply the same logic to your ASA configuration.

https://integratingit.wordpress.com/2021/07/11/ftd-nat-reflection/

Re: Problem with Hairpinning on ASA 5506-X running ASA 9.16(3)

johanc — Fri, 12 Aug 2022 10:06:30 GMT

Hi Rob,

But that is exactly the CLI command I have been trying. Just for clarity I added the network object as in the example and ran the command again.

Result of the command: "nat (inside,inside) source static Internal-LAN interface destination static SERVER01-NAT SERVER01"
nat (inside,inside) source static Internal-LAN interface destination static SERV ^ER01-NAT SERVER01
ERROR: % Invalid input detected at '^' marker.

I am sure that the command in the example is correct, but I have some other error somewhere, but where?
I have some other NAT-rules, can those interfere, or what am I doing wrong?
I have included an image of the current NAT-rules i have (just have blacked out some services, but they are setup the same as all others).

Re: Problem with Hairpinning on ASA 5506-X running ASA 9.16(3)

MHM Cisco World — Fri, 12 Aug 2022 10:26:04 GMT

nat ( real_ifc , mapped_ifc ) source dynamic { real_obj | any }{ mapped_obj | interface destination static { mapped_obj | interface [ ipv6 ]}{ real_obj | any }][ service { mapped_dest_svc_obj real_dest_svc_obj ]

the position of real and mapped Obj must be as show above

Re: Problem with Hairpinning on ASA 5506-X running ASA 9.16(3)

Rob Ingram — Fri, 12 Aug 2022 10:24:59 GMT

@johanc The object "Internal-LAN" wouldn't exist on your ASA, hence the error. The object "Internal-LAN" was an object used in the example, you'd need to replace this with an object that represents your internal network.

Re: Problem with Hairpinning on ASA 5506-X running ASA 9.16(3)

johanc — Fri, 12 Aug 2022 10:29:12 GMT

Hi, no I created the object "Internal-LAN" (and also SERVER01_NAT and SERVER01) before i ran the command, so "Internal-LAN" exists (unfortunately).

Re: Problem with Hairpinning on ASA 5506-X running ASA 9.16(3)

johanc — Fri, 12 Aug 2022 10:37:20 GMT

Hi!
SERVER01-NAT is a defined network object of type "Host" set to my outside IP-address (which is obtained via DHCP since it is the only method my ISP allows). SERVER01 is a defined network object of type "Host" set to the IP address my server has in the dmz (192.168.17.3). Internal-LAN is a defined network obect of type "Network" set to "10.0.0.0/255.255.255.0" which is the network my clients use.

I have tried both these commands with the same result.

Result of the command: "nat (inside,dmz) source static Internal-LAN interface destination static SERVER01-NAT SERVER01"
nat (inside,dmz) source static Internal-LAN interface destination static SERVER0 ^1-NAT SERVER01
ERROR: % Invalid input detected at '^' marker.

Result of the command: "nat (inside,dmz) source static Internal-LAN interface destination static SERVER01 SERVER01-NAT"
nat (inside,dmz) source static Internal-LAN interface destination static SERVER0 ^1 SERVER01-NAT
ERROR: % Invalid input detected at '^' marker.

Regards
Johan

Re: Problem with Hairpinning on ASA 5506-X running ASA 9.16(3)

MHM Cisco World — Fri, 12 Aug 2022 10:46:39 GMT

and I find issue,
there is no interface Inside the interface is
Inside_1 ,_2 ....etc.
give the real Interface nameif

Re: Problem with Hairpinning on ASA 5506-X running ASA 9.16(3)

johanc — Fri, 12 Aug 2022 11:55:06 GMT

Thank you very much!