topic Re: Hairpinning Port Redirects on ASA 5510 in Network Security

Hairpinning Port Redirects on ASA 5510

EverydaySolutions — Mon, 11 Mar 2019 16:56:26 GMT

I have an urgent configuration issue. I have port 80 open and forwarded through my firewall which works great from the outside but does not work from within the network.

Have tried the same-security-traffic permit intra-interface command and everything else I could find online but still get nothing from inside the network.

I really need this to work from the inside for mail etc.

Any Help would be greatly appreciated!

here is my config:

asdm image disk0:/asdm-508.bin
no asdm history enable
: Saved
:
ASA Version 7.0(8) 
!
hostname ciscoasa
domain-name default.domain.invalid
enable password OTWkIuDnLYMtYMea encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
dns-guard
!
interface Ethernet0/0
 nameif WAN1
 security-level 0
 ip address 64.61.54.114 255.255.255.248 
!
interface Ethernet0/1
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 10.10.3.1 255.255.255.0 
!
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list WAN1_access_in extended permit tcp any any eq www 
access-list WAN1_access_in extended permit icmp any any 
access-list 1 standard permit 10.10.3.0 255.255.255.0 
access-list outside_nat0 extended permit ip 10.10.3.0 255.255.255.0 10.10.3.0 255.255.255.0 
pager lines 24
logging enable
logging asdm informational
mtu WAN1 1500
mtu management 1500
no failover
monitor-interface WAN1
monitor-interface management
icmp permit any WAN1
asdm image disk0:/asdm-508.bin
no asdm history enable
arp timeout 14400
nat-control
global (WAN1) 10 interface
global (management) 1 interface
nat (WAN1) 0 access-list outside_nat0
nat (management) 10 0.0.0.0 0.0.0.0
static (management,WAN1) tcp interface www 10.10.3.60 www netmask 255.255.255.255 
static (management,management) tcp interface www 10.10.3.60 www netmask 255.255.255.255 
access-group WAN1_access_in in interface WAN1
route WAN1 0.0.0.0 0.0.0.0 64.61.54.113 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy DfltGrpPolicy attributes
 banner none
 wins-server none
 dns-server none
 dhcp-network-scope none
 vpn-access-hours none
 vpn-simultaneous-logins 3
 vpn-idle-timeout 30
 vpn-session-timeout none
 vpn-filter none
 vpn-tunnel-protocol IPSec 
 password-storage disable
 ip-comp disable
 re-xauth disable
 group-lock none
 pfs disable
 ipsec-udp disable
 ipsec-udp-port 10000
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value 1
 default-domain none
 split-dns none
 secure-unit-authentication disable
 user-authentication disable
 user-authentication-idle-timeout 30
 ip-phone-bypass disable
 leap-bypass disable
 nem disable
 backup-servers keep-client-config
 client-firewall none
 client-access-rule none
 webvpn
  functions url-entry
  port-forward-name value Application Access
http server enable
http 10.10.3.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 10.10.3.2-10.10.3.254 management
dhcpd lease 3600
dhcpd ping_timeout 50
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny 
  inspect sunrpc 
  inspect xdmcp 
  inspect sip 
  inspect netbios 
  inspect tftp 
!
service-policy global_policy global
Cryptochecksum:5adffc48b154a93b54abf54e2fc59265
: end

Re: Hairpinning Port Redirects on ASA 5510

acomiskey — Tue, 12 Jan 2010 13:58:00 GMT

Change

global (management) 1 interface

global (management) 10 interface

Re: Hairpinning Port Redirects on ASA 5510

EverydaySolutions — Tue, 12 Jan 2010 14:03:03 GMT

I tried that already, no luck.

Actually it turns out after much research that this is impossible on software version 7.0.8, it was first allowed in version 7.2

Re: Hairpinning Port Redirects on ASA 5510

Diego Armando Cambronero Arias — Tue, 12 Jan 2010 23:53:46 GMT

Could you please attach a topology. Is the server in a remote INSIDE LAN?

Re: Hairpinning Port Redirects on ASA 5510

Kureli Sankar — Wed, 13 Jan 2010 00:49:44 GMT

U-Turn translation is not a very good idea. Pls. remove this static

static (management,management) tcp interface www 10.10.3.60 www netmask 255.255.255.255

Pls. try to access the inside server using only its inside ip address

10.10.3.60.

http://10.10.3.60

does work from the inside computers right? 

The inside computers in 10.10.3/24 network should be able to access other server in the same 10.10.3.0/24 network

and that traffic should not even come to the firewall.  

-KS

Re: Hairpinning Port Redirects on ASA 5510

EverydaySolutions — Wed, 13 Jan 2010 00:55:57 GMT

This is a unique environment where using external addresses is necessary.

This is a very standard setup, one inside interface and one external.

I will be doing an upgrade from 7.0.8 to 7.2 tommorrow to see if that fixes the problem

Any one else solve this issue by upgrading?

Re: Hairpinning Port Redirects on ASA 5510

Kureli Sankar — Wed, 13 Jan 2010 02:32:44 GMT

Yes, the command was added only for encrypted traffic in 7.0 as you can read here:

Relese Note 7.0

http://www.cisco.com/en/US/docs/security/asa/asa70/release/notes/asa_rn.html#wp207751

Release Note 7.2

http://www.cisco.com/en/US/docs/security/asa/asa72/release/notes/asarn72.html#wp37875

Intra-Interface Communication for Clear Traffic

You can now allow any traffic to enter and exit the same interface, and not just VPN traffic.

7.2(1)

The intra-interface keyword now allows all traffic to enter and exit the same interface, and not just IPSec traffic.

You need to upgrade past 7.2.1 to be able to use same security command for clear traffic.

-KS

Re: Hairpinning Port Redirects on ASA 5510

EverydaySolutions — Wed, 13 Jan 2010 02:50:14 GMT

Thanks for confirming that for me, it was driving me crazy!

Re: Hairpinning Port Redirects on ASA 5510

Scott Pickles — Thu, 14 Jan 2010 03:37:54 GMT

Jared -

I also had to perform DNS doctoring/rewrite because of the enforcing of HTTP Headers on our IIS server. You may need that as well. The problem for me was that internal users couldn't browse our website using DNS without the rewrite, and they couldn't use the private internal IP of the website due to the header requirement. Using hairpinning with DNS doctoring worked for me.

Regards,
Scott