https://community.cisco.com/t5/network-security/asa-5510-hairpin-u-turn-traffic-to-escape-tunnel-to-public/m-p/3393116#M955918 <P>I have an interesting request from a remote-site&nbsp;not wanting to allow access to a public facing IP. &nbsp;We have a tunnel between their ASA &amp; ours which hairpins traffic to 2 networks out the outside interface.</P> <P>(IPs have been changed to protect the innocent)</P> <P>From the remote-site&nbsp;perspective, they are pointing a host to 10.0.0.1 &amp; 10.0.0.2, then NATing on the edge of their tunnel to destinations 172.16.0.1 &amp; 172.16.0.2 (to keep everything pointed to private IPs).</P> <P>Our outside interface has a private IP&nbsp;on the 172.16.0.x/24 network.</P> <P>172.16.0.1 is the real IP of SERVER1</P> <P>172.16.0.2 is an unused dummy IP on the same subnet, &amp; is only used to NAT to the public I'll refer to as 8.8.8.8.</P> <P>&nbsp;</P> <P>All traffic is initiated from the client's private network, so I would think the stateful TCP connections should allow this to work, &amp; I was able to prove this works in my ASA lab with a simple hairpin nat, but it doesn't seem to be working on the real network with a tunnel involved. &nbsp;Is there something I'm missing that I need to do to allow this to work? &nbsp;Packet-tracer shows the NATing is working as expected, but it claims a deny&nbsp;at the end of the hairpin because it's no longer tunneled traffic once it's headed for the public internet. &nbsp;I've seen in other forums that this is a normal limitation to the packet-tracer tool in regards to tunneled traffic.</P> <P>&nbsp;</P> <P>I have&nbsp;same-security-traffic permit inter/intra-interface enabled. &nbsp;Either one of my nat statements "should" work, but it doesn't seem to be doing the trick.</P> <P>&nbsp;</P> <P>I've included a generic firewall in the drawing to show our public IP for the L2L tunnel is passed through another firewall to us, &amp; that this firewall has the 172.16.0.0/24 network connected to it.</P> <P>&nbsp;</P> <P>What am I missing to make this work as desired?</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="hairpin.png" style="width: 999px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/12680iC54CA4E872A1E756/image-size/large?v=v2&amp;px=999" role="button" title="hairpin.png" alt="hairpin.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;(EDIT/update with details on my ASA)</P> <P>&nbsp;</P> <P>object network PRIV-IP</P> <P>&nbsp;host 172.16.0.2<BR />object network PUB-IP<BR />&nbsp;host 8.8.8.8<BR />object network REMOTE-HOST<BR />&nbsp;host 192.168.1.10</P> <P>object network REMOTE-HOST2</P> <P>&nbsp;host 192.168.1.11</P> <P>&nbsp;</P> <P>object-group network REMOTE-SITE</P> <P>&nbsp;network-object object REMOTE-HOST</P> <P><SPAN>&nbsp;network-object object REMOTE-HOST2</SPAN></P> <P>&nbsp;</P> <P>access-list TUNNEL-ACL extended permit ip object SERVER1 object-group REMOTE-SITE <BR />access-list TUNNEL-ACL extended permit ip object PRIV-IP object-group REMOTE-SITE <BR />crypto map outside_map 10 match address TUNNEL-ACL</P> <P>&nbsp;</P> <P>nat (outside,outside) source static REMOTE-HOST REMOTE-HOST destination static PRIV-IP PUB-IP<BR />[should also work?] nat (outside,outside) source dynamic REMOTE-HOST interface destination static PRIV-IP PUB-IP</P> <P>&nbsp;</P> <P>object network REMOTE-HOST</P> <P>&nbsp;nat (outside,outside) dynamic interface</P> <P>object network REMOTE-HOST2</P> <P>&nbsp;nat (outside,outside) dynamic interface</P> Fri, 21 Feb 2020 15:50:34 GMT wstucky01 2020-02-21T15:50:34Z https://community.cisco.com/t5/network-security/asa-5510-hairpin-u-turn-traffic-to-escape-tunnel-to-public/m-p/3393116#M955918 <P>I have an interesting request from a remote-site&nbsp;not wanting to allow access to a public facing IP. &nbsp;We have a tunnel between their ASA &amp; ours which hairpins traffic to 2 networks out the outside interface.</P> <P>(IPs have been changed to protect the innocent)</P> <P>From the remote-site&nbsp;perspective, they are pointing a host to 10.0.0.1 &amp; 10.0.0.2, then NATing on the edge of their tunnel to destinations 172.16.0.1 &amp; 172.16.0.2 (to keep everything pointed to private IPs).</P> <P>Our outside interface has a private IP&nbsp;on the 172.16.0.x/24 network.</P> <P>172.16.0.1 is the real IP of SERVER1</P> <P>172.16.0.2 is an unused dummy IP on the same subnet, &amp; is only used to NAT to the public I'll refer to as 8.8.8.8.</P> <P>&nbsp;</P> <P>All traffic is initiated from the client's private network, so I would think the stateful TCP connections should allow this to work, &amp; I was able to prove this works in my ASA lab with a simple hairpin nat, but it doesn't seem to be working on the real network with a tunnel involved. &nbsp;Is there something I'm missing that I need to do to allow this to work? &nbsp;Packet-tracer shows the NATing is working as expected, but it claims a deny&nbsp;at the end of the hairpin because it's no longer tunneled traffic once it's headed for the public internet. &nbsp;I've seen in other forums that this is a normal limitation to the packet-tracer tool in regards to tunneled traffic.</P> <P>&nbsp;</P> <P>I have&nbsp;same-security-traffic permit inter/intra-interface enabled. &nbsp;Either one of my nat statements "should" work, but it doesn't seem to be doing the trick.</P> <P>&nbsp;</P> <P>I've included a generic firewall in the drawing to show our public IP for the L2L tunnel is passed through another firewall to us, &amp; that this firewall has the 172.16.0.0/24 network connected to it.</P> <P>&nbsp;</P> <P>What am I missing to make this work as desired?</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="hairpin.png" style="width: 999px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/12680iC54CA4E872A1E756/image-size/large?v=v2&amp;px=999" role="button" title="hairpin.png" alt="hairpin.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;(EDIT/update with details on my ASA)</P> <P>&nbsp;</P> <P>object network PRIV-IP</P> <P>&nbsp;host 172.16.0.2<BR />object network PUB-IP<BR />&nbsp;host 8.8.8.8<BR />object network REMOTE-HOST<BR />&nbsp;host 192.168.1.10</P> <P>object network REMOTE-HOST2</P> <P>&nbsp;host 192.168.1.11</P> <P>&nbsp;</P> <P>object-group network REMOTE-SITE</P> <P>&nbsp;network-object object REMOTE-HOST</P> <P><SPAN>&nbsp;network-object object REMOTE-HOST2</SPAN></P> <P>&nbsp;</P> <P>access-list TUNNEL-ACL extended permit ip object SERVER1 object-group REMOTE-SITE <BR />access-list TUNNEL-ACL extended permit ip object PRIV-IP object-group REMOTE-SITE <BR />crypto map outside_map 10 match address TUNNEL-ACL</P> <P>&nbsp;</P> <P>nat (outside,outside) source static REMOTE-HOST REMOTE-HOST destination static PRIV-IP PUB-IP<BR />[should also work?] nat (outside,outside) source dynamic REMOTE-HOST interface destination static PRIV-IP PUB-IP</P> <P>&nbsp;</P> <P>object network REMOTE-HOST</P> <P>&nbsp;nat (outside,outside) dynamic interface</P> <P>object network REMOTE-HOST2</P> <P>&nbsp;nat (outside,outside) dynamic interface</P> Fri, 21 Feb 2020 15:50:34 GMT https://community.cisco.com/t5/network-security/asa-5510-hairpin-u-turn-traffic-to-escape-tunnel-to-public/m-p/3393116#M955918 wstucky01 2020-02-21T15:50:34Z https://community.cisco.com/t5/network-security/asa-5510-hairpin-u-turn-traffic-to-escape-tunnel-to-public/m-p/3393193#M955919 <P>Are you NATing at both firewalls? 10.0.0.2 to 172.16.0.2 and then again 172.16.0.2 to 8.8.8.8?</P> Sun, 03 Jun 2018 13:03:55 GMT https://community.cisco.com/t5/network-security/asa-5510-hairpin-u-turn-traffic-to-escape-tunnel-to-public/m-p/3393193#M955919 Marius Gunnerud 2018-06-03T13:03:55Z https://community.cisco.com/t5/network-security/asa-5510-hairpin-u-turn-traffic-to-escape-tunnel-to-public/m-p/3393296#M955920 <P>yes.</P> <P>&nbsp;Updated original post with more details, but here's the essential nat flow:</P> <P>10.0.0.2 &gt; 172.16.0.2 (tunnel) 172.16.0.2 &gt; 8.8.8.8</P> Sun, 03 Jun 2018 20:12:56 GMT https://community.cisco.com/t5/network-security/asa-5510-hairpin-u-turn-traffic-to-escape-tunnel-to-public/m-p/3393296#M955920 wstucky01 2018-06-03T20:12:56Z https://community.cisco.com/t5/network-security/asa-5510-hairpin-u-turn-traffic-to-escape-tunnel-to-public/m-p/3396413#M955921 Can you add route-lookup at the end of the nat statement?<BR /> Fri, 08 Jun 2018 13:28:28 GMT https://community.cisco.com/t5/network-security/asa-5510-hairpin-u-turn-traffic-to-escape-tunnel-to-public/m-p/3396413#M955921 Florin Barhala 2018-06-08T13:28:28Z https://community.cisco.com/t5/network-security/asa-5510-hairpin-u-turn-traffic-to-escape-tunnel-to-public/m-p/3402854#M955922 <P>No, it will not accept that command. &nbsp;I think I can only use that if I'm keeping the NATs the same&nbsp;on the statement.</P> <P>&nbsp;</P> <P>Sorry for the delay- I was waiting on feedback if I could have the remote ASA NAT to the real IP before the tunnel but was just denied, so I'm back to trying to making this thrice-nat thing work again.</P> Wed, 20 Jun 2018 17:47:51 GMT https://community.cisco.com/t5/network-security/asa-5510-hairpin-u-turn-traffic-to-escape-tunnel-to-public/m-p/3402854#M955922 wstucky01 2018-06-20T17:47:51Z https://community.cisco.com/t5/network-security/asa-5510-hairpin-u-turn-traffic-to-escape-tunnel-to-public/m-p/3674632#M955923 <P>UPDATE:</P> <P>I ended up routing this traffic Inside instead of haripinning. &nbsp;Funny thing is it still didn't work until I removed the network objects referenced in the NAT statement &amp; added them back. &nbsp;Since that fixed it, I didn't care to try it with the hairpin again to see if that was really all I needed to do.</P> Wed, 25 Jul 2018 17:57:19 GMT https://community.cisco.com/t5/network-security/asa-5510-hairpin-u-turn-traffic-to-escape-tunnel-to-public/m-p/3674632#M955923 wstucky01 2018-07-25T17:57:19Z