ASA 5505- NAT Hairpin question

dspahn · ‎05-31-2013

I have an old ASA 5505, and I'm having some trouble with Nat Hairpinning. I've done this with other firewalls before and I am having no luck now. I have an internal address that I wish to forward from an external address- so if someone goes to 123.456.789.012:3456 then it will forward to 192.168.1.244:92 (All numbers are arbitrary here- only for illustration). I have and Access Rule and NAT and PAT set up so that I can get in if I originate from outside the LAN. What I am trying to do is to have this work from inside the LAN as well- so that if I am at my desk, and I connect a device and type in 123.456.789.012:3456, it will deliver the content at 192.168.1.244:92. The problem I am having is that it just isn't working, and I cannot figure out why- When I started here, there was an address configured to work this way, and it still works- I just cannot find what is different between what I am doing and what the person who configured it did. I appreciate any help. Thanks!

I have asked this question other places before, and I am invariably asked why I would want to allow such a pointless thing. Here's some of the reason: Our firm uses handheld devices with proprietary software that can only be configured with one address- and most of the time, it must be in use over a cell connection, over the WAN. There are specific cases where we need to troubleshoot, or optimize sync times under time-sensitive conditions without having to bring additional IT staff in from home. This would put the configuration onus on IT rather than on a less-knowledgible employee and allow a more efficient support experience. Again, I appreciate the help.

Jouni Forss · ‎05-31-2013

Hi,

You didnt mention the software level but I would presume since you state that its an old 5505 that it might be running something below 8.3 (which was the software where the NAT format changed). Correct if I am wrong.

I presume that you are using the software level 8.2 and below NAT configuration format.

Below are the basic steps you usually take to implement this

So, at minimum you usually have this configuration

global (outside) 1 interface

nat (inside) 1 192.168.1.0 255.255.255.0

Thats your default Dynamic PAT for LAN users Internet traffic

Then you decide to configure a server with its own public IP address using Static NAT

static (inside,outside) 123.456.789.012 192.168.1.244 netmask 255.255.255.255

You then find out that LAN host should also be able to reach this host with the public IP address. And since this isnt supported by the ASA with the above Static NAT alone we would usually have to make sure we have couple of other configurations.

First we enable

same-security-traffic permit intra-interface

This will basicly allow the traffic to enter and leave the same interface on the ASA. This is required for the setup to work.

Now we need to configure a Static NAT from "inside" to "inside" which translates the local IP to public IP

static (inside,inside) 123.456.789.012 192.168.1.244 netmask 255.255.255.255

But this is still not really enough.

This alone would make it possible for the connection from the LAN host to reach the ASA and then the actual server. The problem lies with the fact that the source address is not translated so the server will reply in the 3 way TCP handshake directly to the host while the host will send the last of the 3 messages through ASA and ASA will block it since it didnt see the 2nd message of the 3 way handshake.

Because of this we need to configure Dynamic PAT from "inside" to "inside" also. This is because now each LAN host will be translated to the ASAs "inside" interface IP address and this will make sure that ASA always sees all the required transactions of the TCP connection. This is naturally because the server will see the traffic coming from the ASA interface IP address and will therefore have to forward all traffic through it when the LAN users are connecting to it.

Considering the existing Dynamic PAT above we only add the following command

global (inside) 1 interface

This should pretty much be it. If for some reason "inside" ACL rules are tight then naturally make sure they dont block the connection.

Hope this helps

If this answered your question, please remember to mark the reply as the correct answer

Ask more if needed

- Jouni

dspahn · ‎05-31-2013

I apologize for not mentioning that I am using ASDM 6.4 and the ASA is on 8.2(5). How does this translate into the GUI? I pulled my running config, and found the lines that seem to correspond to your response:

access-list inside_nat0_outbound extended permit ip object-group DM_INLINE_NETWORK_3 192.168.123.0 255.255.255.128

static (inside,outside) 123.456.789.012 192.168.1.244 netmask 255.255.255.255

So I am pretty sure the global config items are OK, since I have one of these that is working. What do I need to do in the ASDM to complete this configuration?

Thanks!

Jouni Forss · ‎05-31-2013

Hi,

I dont personally use ASDM myself.

It would be easier to see the NAT configurations in CLI format

You can use the ASDM to get the configurations in CLI format (and also enter CLI format configurations if needed)

You can go to ASDM -> Tools -> Command Line Interface -> Enter the command -> Press send

You should be able to issue the commands

show run global

show run nat

show run static

And get the output and share them here (while masking the possible public IP addresses)

- Jouni

dspahn · ‎05-31-2013

Result of the command: "show run global"

global (outside) 1 interface

Result of the command: "show run nat"

nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0

Result of the command: "show run static"

<----Deleted a few irrelevant lines ------>
static (inside,outside) tcp xxx.yyy.zzz.vvv https 192.65.1.16 https netmask 255.255.255.255
static (inside,outside) tcp xxx.yyy.zzz.vvv 587 192.65.1.16 587 netmask 255.255.255.255
static (inside,outside) tcp xxx.yyy.zzz.vvv 990 192.65.1.16 990 netmask 255.255.255.255

static (inside,outside) tcp xxx.yyy.zzz.vvv 8080 192.65.2.44 8080 netmask 255.255.255.255
static (inside,outside) xxx.yyy.zzz.vvv 192.65.1.24 netmask 255.255.255.255
static (inside,outside) xxx.yyy.zzz.vvv 192.65.1.27 netmask 255.255.255.255
static (inside,outside) xxx.yyy.zzz.vvv 192.65.1.87 netmask 255.255.255.255
static (inside,outside) xxx.yyy.zzz.vvv 192.65.1.44 netmask 255.255.255.255
static (inside,outside) xxx.yyy.zzz.vvv 192.65.1.20 netmask 255.255.255.255

Jouni Forss · ‎05-31-2013

Hi,

I only see normal Dynamic PAT

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

Then theres a NAT0 configuration

nat (inside) 0 access-list inside_nat0_outbound

The ACL named "inside_nat0_outbound" is used with the NAT0 configuration line to bypass NAT for traffic defined in the ACL.

Then there are Static PAT (Port Forward) and Static NAT configurations

static (inside,outside) tcp xxx.yyy.zzz.vvv https 192.65.1.16 https netmask 255.255.255.255

static (inside,outside) tcp xxx.yyy.zzz.vvv 587 192.65.1.16 587 netmask 255.255.255.255

static (inside,outside) tcp xxx.yyy.zzz.vvv 990 192.65.1.16 990 netmask 255.255.255.255

static (inside,outside) tcp xxx.yyy.zzz.vvv 8080 192.65.2.44 8080 netmask 255.255.255.255
static (inside,outside) xxx.yyy.zzz.vvv 192.65.1.24 netmask 255.255.255.255
static (inside,outside) xxx.yyy.zzz.vvv 192.65.1.27 netmask 255.255.255.255
static (inside,outside) xxx.yyy.zzz.vvv 192.65.1.87 netmask 255.255.255.255
static (inside,outside) xxx.yyy.zzz.vvv 192.65.1.44 netmask 255.255.255.255
static (inside,outside) xxx.yyy.zzz.vvv 192.65.1.20 netmask 255.255.255.255

I cant see any existin Static NAT configuration that would enable a "inside" user to access the "inside" server with the public IP address defined in one of the static (inside,outside) configurations.

So I am not quite sure to what working/exiting configuration you are referring to

As you can see there is none of the additional NAT configurations I mentioned that you usually use to enable accessing the internal host with the public NAT IP address

- Jouni