Having issue with connecting to device (NVR) on same inside interface using external IP address - Hairpin - Loopback Routing
I'm trying to configure an ASA 5506 (ver. 9.8.1) to allow a device on the inside interface (smartphone connected to local network via wi-fi) to access an NVR (network video recorder) that is also on the same inside interface, however, I would like to accomplish this by using the outside interface address.
Currently I have NAT & ACL setup to allow a user that is off-site (over the internet) to connect to the NVR using the outside IP address that is nat'd to the inside address of the NVR; it is working great. My problem is when a user is on-site and connected to the wi-fi, the smartphone app (configured with the outside IP address) will not connect to the NVR on the same inside interface using the outside IP address.
Side note: The current NAT (inside, outside) rule is configured to use TCP port 8000 (port 8000 is an example, actual port is different).
Also, I have enabled same-security-traffic permit intra-interface as well as same-security-traffic permit inter-interface.
When the user is connected to the inside network via local wi-fi, and I insert theinternalIP address of the NVR into the smartphone app, it obviously works. Simple enough, however, my customer does not understand networks and they expect to be able to open the smartphone app and pull up the cameras whether they are connected to the local wi-fi, or when they are halfway around the world on business. I could setup two connections in the smartphone app (local cameras & remote cameras), but I need it to pull up the cameras using only theoutsideIP address regardless of whether the user is connected to the inside interface orthey are connecting from the outside world thru the outside interface.
I have successfully set this up in the past on a Cisco ASA 5505 using nat (inside, inside) and it worked great. I've also heard of this being referred to as hairpin or loopback routing.
Can someone give me a configuration example of how to make this work? Thanks in advance!
Setting up some 3rd party devices for my Fire and Rescue trucks that will VPN back to our FPR-2110. I can blatantly see what's going on with the IKEv2 platform and protocol debugs on. It's selecting the wrong dynamic map!IKEv2-PLAT-4: (32): Cry...
On January 22, 2020, the Cisco Product Security Incident Response Team (PSIRT) disclosed a vulnerability in the web-based management interface of Cisco Firepower Management Center (FMC). The vulnerability could allow an unauthenticated, remote attac...
Meet the Authors Event - A Cybersecurity Deep Dive with Omar Santos
(Live event – Thursday, January 23rd, 2020 at 10:00 a.m. Pacific / 1:00 p.m. Eastern / 7:00 p.m. Paris)
This event will have place on Thursday 23rd, January 2020 at 10hrs PDT
Posting this for anyone interested in using a Raspberry PI as a flow collector for Stealthwatch. We created a very lightweight version of our software. It can create flows if the eth port is attached to a SPAN or you can forward NetFlow/IPFIX ...