topic I got it to work! Below is in Network Security

Hairpinning?

Computerwiz24 — Tue, 12 Mar 2019 08:24:11 GMT

Hello,

I have a Cisco ASA 5505 Firewall I need some help with. I have 2 cameras set up on my inside network that I need access to from my outside network. I setup the NAT rules from outside to inside along with the access list to allow traffic. Everything works fine as long as I'm not on my internal network. When I'm on my internal work it doesn't work. I need to set it up so I can use my external IP for both internal and external use. Doing some research I think I need to use hairpinning? I have tried setting it up but not having much luck. Can someone help me with the config needed for hairpinning? I can post my config if needed. Thank you for any help on this issue.

Hi,

Aditya Ganjoo — Sun, 16 Oct 2016 07:48:14 GMT

Hi,

Are you using same-security-traffic permit intra-interface command on the ASA ?

Also please share the config snippet that you have used for the hairpinning ?

Please share the packet tracer output for the inside traffic as well.

Regards,

Aditya

Please rate helpful posts and mark correct answers.

I do have same-security

Computerwiz24 — Tue, 18 Oct 2016 21:10:35 GMT

I do have same-security-traffic permit intra-interface enabled on the ASA. I deleted my hairpinning config to start over. Do I need a route from inside to inside? Also do I need a NAT statement to pass hairpinning traffic? Attached is my running config. Thank you

Hi,

Aditya Ganjoo — Wed, 19 Oct 2016 04:46:17 GMT

Hi,

Please share the output of packet tracer output for the concerned traffic.

Regards,

Aditya

Please rate helpful posts and mark correct answers.

Attached is the packet tracer

Computerwiz24 — Sat, 22 Oct 2016 02:36:25 GMT

Attached is the packet tracer output Thank you

Hi,

Aditya Ganjoo — Sat, 22 Oct 2016 05:13:35 GMT

Hi,

It gives an ACL drop but you already have enabled same-security command.

So could you check if you have a NAT statement configured for the traffic.

Regards,

Aditya

Please rate helpful posts and mark correct answers.

I have NAT Rule set up but I

Computerwiz24 — Sun, 23 Oct 2016 00:28:24 GMT

I have NAT Rule set up but I don't know I have it correct. I attached my running config

Thank you

Don't have any config to take

niko — Tue, 25 Oct 2016 19:15:50 GMT

Don't have any config to take a look at, but you could try editing your hairpin NAT rule:

nat (inside,inside) source static <inside_client_ip> <inside_client_ip> destination static <outside_camera_ip> <inside_camera_ip>

DNS Rewrite / Doctoring might

craig.cordts — Wed, 02 Nov 2016 22:17:39 GMT

DNS Rewrite / Doctoring might work for this.

From http://packetsneverlie.blogspot.com/2010/08/dns-rewrite.html

DNS Rewrite is a feature of the ASA and PIX that enable the firewall to rewrite DNS A queries when the destination server is located at the same network that the client or, for example, if the public IP address of that server is statically mapped to some DMZ address

Here is another good article from Cisco

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/72273-dns-doctoring-3zones.html

Good luck

Craig

This is what we need here:

Ajay Saini — Thu, 03 Nov 2016 10:51:25 GMT

This is what we need here:

While accessing this from internal, we need 2 things:

1. destination translation so that when we hit the public ip, firewall should do a proxy-arp and send traffic back to internal camera real ip

2. source ip mapped to internal interface ip address so that reply packets go back to ASA and hence we dont have asymetric routing.

Remove the (inside,inside) nat statement that you have added and try below (I am taking an example):

real ip of camera - x.x.x.x

mapped ip of camera - y.y.y.y

object network obj-real

host x.x.x.x

object network obj-map

host y.y.y.y

nat (inside,inside) source dynamic any interface destination static obj-map obj-real

Please try this in a downtime and let me know if that works.

HTH

niko,

Computerwiz24 — Sat, 10 Dec 2016 15:46:22 GMT

niko,

Can i use <any> for my client IP? I want any inside address to be able to access cameras. i can attach my running config if that helps?

Thank you

So i got part of it figured

Computerwiz24 — Sat, 10 Dec 2016 17:33:15 GMT

So i got part of it figured it I have one camera working but the other still doesn't work. I think the reason is i have to use <any> Service to get it to work. Since i have to use my outside interface for the destination on both Im thinking the service port will determine which NAT rule to use.With <any> service port the first NAT rule accepts and it never makes it to the next rule. therefore the 2nd camera never gets permitted.I change the order of the NAT rules and the other camera starts working. If i change the service to the port I'm using instead of <any> the camera quits working. Any idea what causes this?

Can you please share the 2

Ajay Saini — Mon, 12 Dec 2016 10:00:46 GMT

Can you please share the 2 NAT statements that you add when using 'port' instead of 'any' in (inside,inside) nat statement. Also, please attach the syslogs you see when none of the camera works.

We have to use port based NAT statement coz if we use 'any', as you correctly figured out, only first nat will be honored and second will never be matched.

Also, I would recommend using PATing the inside user to inside interface ip address so that reply packet comes to ASA interace and the traffic flow is symmetric.

something like below:

nat (inside,inside) source static <inside_client_ip> <inside interace ip> ...*************

Linkin.24

Computerwiz24 — Thu, 15 Dec 2016 18:08:55 GMT

Linkin.24

Is this what you need to see?

These are the NAT statements I have when neither camera works

See Attached

If I change it to what's

Computerwiz24 — Thu, 15 Dec 2016 18:12:36 GMT

If I change it to what's shown in this screen shot attached one camera will work

Thank you

Hello,

Ajay Saini — Sun, 18 Dec 2016 06:10:53 GMT

Hello,

The screenshot didn't help much. I am used to CLI anyways.. Could you please have 2 NAT statements as below:

nat (inside,inside) source dynamic any interface destination static obj-map obj-real service MAPPED_port REAL_port

nat (inside,inside) source dynamic any interface destination static obj-map obj-real service MAPPED_port1 REAL_port1

Add this for 2 different destination ports as requirement. you can follow the below doc which has the same example:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa83/configuration/guide/config/nat_rules.html

Remember, the only way it can work is to make either of the things unique - source address, dest addr or source port or dest port. Unfortunately, the only thing we can utilize is dest port. Please try in a maintenace window and let us know if it works.

AJ,

Computerwiz24 — Sun, 05 Mar 2017 01:49:52 GMT

AJ,

I don't quite understand the twice NAT? Can you explain and post an example?

Thank you

Hello,

Ajay Saini — Fri, 10 Mar 2017 21:50:08 GMT

Hello,

Sorry for delay in response. All I suggested is to create 2 twice NAT statements wherein the destination real port is different and mapped port is same. Except the destination real port, NAT statements are exactly same. Let me know if that fits your requirement. The link that I attached talks about same stuff.

The idea is to map the source ip to interface and destination mapping remains same combo. Just the dest port differs. Try to understand the flow here and you will get it.

Let me know if there are any questions.

No problem on the delay. So

Computerwiz24 — Sat, 11 Mar 2017 00:52:43 GMT

No problem on the delay. So for example if my outside ip was x.x.x.x and my inside device was 192.168.1.200 on a 192.168.1.0 255.255.255.0 subnet when im on the internal network using my public IP would my NAT statement look like this?

Nat (inside,inside) source dynamic 192.168.1.0 interface destination static x.x.x.x 192.168.1.200

Thank you

Yes, and since you need

Ajay Saini — Sat, 11 Mar 2017 17:03:03 GMT

Yes, and since you need access on 2 destination ports, you can 2 of these statements with 2 different port numbers - one real and other mapped.

nat (inside,inside) source dynamic any interface destination static obj-map obj-real service MAPPED_port REAL_port

nat (inside,inside) source dynamic any interface destination static obj-map obj-real service MAPPED_port1 REAL_port1

'any' will be your inside network 192.168.1.0/x

obj-real = 192.168.1.200

obj-map = x.x.x.x

MAPPED_port = first mapped port on which access is needed

MAPPED_port1 = second port on which access is needed

REAL_port1 - is the actual port on which server is listening

If you dont have a second destination port, you can just add one statement.

HTH