https://community.cisco.com/t5/network-security/hairpin-static-nat/m-p/2312028#M344587 <P>I created a hairpin NAT statement on an ASA so that users can access an internal website using it's external IP address.&nbsp; I'm able to ping the site from the workstations without a problem, but I'm unable to pull up the site.&nbsp; It works fine externally.&nbsp; Anyone run into a similar issue?&nbsp; Running 8.2(5).</P> Tue, 12 Mar 2019 02:26:19 GMT chevymannie 2019-03-12T02:26:19Z https://community.cisco.com/t5/network-security/hairpin-static-nat/m-p/2312028#M344587 <P>I created a hairpin NAT statement on an ASA so that users can access an internal website using it's external IP address.&nbsp; I'm able to ping the site from the workstations without a problem, but I'm unable to pull up the site.&nbsp; It works fine externally.&nbsp; Anyone run into a similar issue?&nbsp; Running 8.2(5).</P> Tue, 12 Mar 2019 02:26:19 GMT https://community.cisco.com/t5/network-security/hairpin-static-nat/m-p/2312028#M344587 chevymannie 2019-03-12T02:26:19Z https://community.cisco.com/t5/network-security/hairpin-static-nat/m-p/2312029#M344588 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>You are most probably lacking a translation for the source address while you have the translation for the destination address.</P><P></P><P>What I mean is that the connection currently goes like this</P><UL><LI>Host connects to server public</LI><LI>Connection reaches ASA</LI><LI>ASA untranslates the destination address to the real IP address</LI><LI>The server sees the connection coming from a local IP address</LI><LI>The server replies to that local IP address directly wihtout sending the traffic to ASA (as it sees the source host in the same network)</LI><LI>Connection gets stuck because the traffic doesn flow correctly </LI></UL><P></P><P>So lets use these examples information to configure the correct translation</P><UL><LI>Local network 10.10.10.0/24</LI><LI>Server 10.10.10.10</LI><LI>Public IP address 1.1.1.1</LI><LI>Interfaces called <STRONG>"inside"</STRONG> and <STRONG>"outside"</STRONG></LI></UL><P></P><P></P><P>Default Dynamic PAT for outbound</P><P></P><P><STRONG>global (outside) 1 interface</STRONG></P><P><STRONG>nat (inside) 1 10.10.10.0 255.255.255.0</STRONG></P><P></P><P>Static NAT outbound</P><P></P><P><STRONG>static (inside,outside) 1.1.1.1 10.10.10.10 netmask 255.255.255.255</STRONG></P><P></P><P>Static NAT for local traffic</P><P></P><P><STRONG>static (inside,inside) 1.1.1.1 10.10.10.10 netmask 255.255.255.255</STRONG></P><P></P><P></P><P>So you probably have all the above things in a similiar form already on the ASA.</P><P></P><P>What you need to add is this</P><P></P><P><STRONG>global (inside) 1 interface</STRONG></P><P></P><P>This&nbsp; (together with the earlier <STRONG>"nat"</STRONG> command) will translated the users source address while connecting the server with the public IP address. Because we translate the users to ASAs <STRONG>"inside"</STRONG> interface IP address this means that ASA will see all the packets related to the connection and the connection should work.</P><P></P><P>Hope this helps</P><P></P><P>Please do remember to mark a reply as the correct answer if it answered your question.</P><P></P><P>Feel free to ask more if needed.</P><P></P><P>- Jouni</P></BODY></HTML> Thu, 15 Aug 2013 21:55:35 GMT https://community.cisco.com/t5/network-security/hairpin-static-nat/m-p/2312029#M344588 Jouni Forss 2013-08-15T21:55:35Z