topic Re: hairpinning - ok or not ok? in Network Security

hairpinning - ok or not ok?

mikeccit — Mon, 11 Mar 2019 19:51:52 GMT

We have found that hairpinning an interface on our ASA will resolve a problem, but we're not sure if it's a good or bad idea. Is hairpinning an ok or not ok practice?

Mike

Re: hairpinning - ok or not ok?

Jennifer Halim — Wed, 16 Feb 2011 23:48:55 GMT

Hairpinning on ASA is not a problem, however, we often found that it breaks traffic flow more than resolving problem especially in this scenario:

- Traffic originates from the same subnet as ASA interface and it has been configured as its default gateway --> this will break TCP application due to the following reason:

TCP SYN: from host-A - ASA interface - destination-B

TCP SYN-ACK: from destination-B - directly to host-A (because ASA interface is in the same subnet as host-A, it will go directly instead of routed to ASA interface first).

TCP ACK: from host-A - ASA interface (ASA in this instance will drop the connection since it never saw the TCP SYN-ACK).

Re: hairpinning - ok or not ok?

Sudeep Khuraijam — Thu, 17 Feb 2011 00:08:00 GMT

I have found hairpinning to be indeed a useful hack many times. You need explicity allow intra interface and

have ACL allows. Also you might want to look at using static arp ( for another ip address on the ASA interface) and assigning a different default gateway to a class of servers with a smaller subnet than the ASA interface.