cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
899
Views
0
Helpful
2
Replies

ASA Port Forwarding with VPN Hairpinning

Euan McGregor
Level 4
Level 4

Hello,

I have been working on an issue for a while and I have managed to track down the issue, but I am not sure how to fix the issue.

I have a ASA 5505 running 8.4(7) with a tunneled anyconnect vpn for inbound remote users. I also would like to setup inbound port forwarding for a webserver.

The issue seems to be the hairpinning rule that is causing the inbound port forwarding to be stopped:

nat (outside,outside) source dynamic NETWORK_OBJ_172.16.1.0_28 interface description hairpin for vpn users natting on the outside interface

When I disable this the port forwarding will work perfectly (according to packet tracer that is).

I have attached the config to this post. I would appreciate any insight how to get the VPN hairpinning and the inbound port forwarding to work.

The config has been condensed to remove unneed config.

Thanks

1 Accepted Solution

Accepted Solutions

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

What is the configuration commands you are using to set up the Static PAT (Port Forward) ?

The problem most likely is the ordering of the NAT configurations as the above listed NAT configuration at the top of the NAT configurations.

The Static PAT configuration you could use to make it work would be

object network SERVER

host

object service WWW

service tcp source eq www

nat (server,outside) 1 source static SERVER interface service WWW WWW

The above presumes the source interface for the host is "server" and that the service you want to do Static PAT for is TCP/80.

Notice that we add the number "1" in the "nat" command. This will add it at the top. The same thing would have to be done for any other Static PAT you configure that you want to for these VPN Clients.

Hope this helps

- Jouni

View solution in original post

2 Replies 2

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

What is the configuration commands you are using to set up the Static PAT (Port Forward) ?

The problem most likely is the ordering of the NAT configurations as the above listed NAT configuration at the top of the NAT configurations.

The Static PAT configuration you could use to make it work would be

object network SERVER

host

object service WWW

service tcp source eq www

nat (server,outside) 1 source static SERVER interface service WWW WWW

The above presumes the source interface for the host is "server" and that the service you want to do Static PAT for is TCP/80.

Notice that we add the number "1" in the "nat" command. This will add it at the top. The same thing would have to be done for any other Static PAT you configure that you want to for these VPN Clients.

Hope this helps

- Jouni

Hi JouniForss,

thanks for the quick reply. Looking good, I never thought to put it at the top I was configuring it as a network object nat rule. Looks like VPN users can still see internal servers too!

Thanks


Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: