cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5686
Views
5
Helpful
10
Replies

Allow hairpinnig for internet traffic

Jason Flory
Level 1
Level 1

Hello Everyone

We have a cisco ASA running 8.6 code level.  We currently have guest networks that we block access to internal LAN which means that users on these networks accessing internal resouces have to egress to internet and hairpin back into the network.  This is only a problem where we have cisco ASA.  I know ASAs do not like to allow traffic to exit an interface and come back in again on the same interface. 

My question is how do we allow hairpining on this device.  I tried to use same-security-traffic permit intra-interface command on the outside interface but this did not work.

Thank you

10 Replies 10

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

Sounds to me like you are trying to achieve something that is not possible on the ASA or atleast doesnt happen in the way you describe.

I mean traffic cant come from some Guest interface then head out through the External interface and then again enter back through External interface and be forwarded to Internal interface.

Or have I understood something wrong?

I gather you want to allow something from Guest to Internal? If so, shouldnt you do this straight between Guest and Internal?

Hairpinning usually only involves a single interface on the ASA. The most usual situations are:

  • VPN Client users need access to External networks through the VPN connection. In this situation traffic enters and exits the External interface
  • Internal users have a server on the same subnet and want to access it through its NATed public IP address rather than the local IP address. In this situation traffic enters the Internal interface and is forwarded back through the Internal interface. Both source and destination addresses are translated for this to work.

Can you clarify the situation a bit.

If you have the latter situation of the above where user and server are both in the same subnet behind the same ASA interface then you can use this format

object network SERVER-REAL

host

object network SERVER-MAPPED

host

object network LAN-NETWORK

subnet

nat (Internal,Internal) after-auto source dynamic LAN-NETWORK interface destination static SERVER-MAPPED SERVER-REAL

- Jouni

Thanks for reply

Our offices are broken up into several VLANs and one of which is the guest network which users access for BYOD and client access via wifi.  The AP has a rule on it that blocks access to internal LAN.  Problem is the rules are not that granular where you can allow access to the internal resources, at least in a secure manner.  We have a couple of egress points on our network and this is not a problem where there are non cisco firewalls.

The traffic traverses wan and egresses via the cisco ASA through the inside interface and then out the outside interface.  If destination traffic is for an inside resource it then tries to come back in the same interface at which point packets drop.  I cannot give access to resouces via the AP becuase it will only allow all traffic or no traffic.

I guess it would be more like the second scenario you mention.  Servers we want to access are on the internal LAN and DMZ behind ASA.  However they are not on the same subnet. 

Example:

Guest network is 10.3.10.0 /24 (rule on AP blocks acces to all internal resources but allows access to internet)

Inside interface of asa 10.3.0.3 /29

DMZ subnet 172.16.28.1

Outside 64.47.x.x

From guest we would like to be able to get to published resources on internal network.  In your second scenario are saying to basically publish the resources on the inside interface as well?

Hi,

To be honest I am still not quite sure how the setup is.

You say that you have an own Vlan for the Guest network and the AP can either block or allow all to the Internal network? What is stopping you from controlling the traffic on the ASA interface with specific rules?

When it comes to ASA, traffic can enter one interface and leave another or traffic can come in through one interface and leave through it. I dont think its possible for the traffic to enter one interface and leave through another interface and then again enter that same interface. I would imagine this would result in a drop with log message of IP Spoof.

I didnt quite get this part either

The traffic traverses wan and egresses via the cisco ASA through the  inside interface and then out the outside interface.  If destination  traffic is for an inside resource it then tries to come back in the same  interface at which point packets drop.

It might be possible that I have understood this wrong and at this point it would probably be a lot easier to look at the situation with a help of some picture or the actual configuration.

- Jouni

So the Guest wifi networks are not directly connected to the ASA.  We have muliple offices connected via MPLS and have 2 egress points.  One on the east coast and one on the west coast.  Every office has a guest network which is a vlan on our MPLS network but the AP (meraki) themselves block access to the internal LAN.  I suppose they have a rule that blocks acces to any private lan space.  Once it passses the AP it rides our wan to its nearest egress which then exists out the ASA.  We have a firewall on the west coast and one on the east coast both of which publish internal resouces.  So traffic from guest networks would have to pass the inside interface and the outside interface and then come back in.  Like i said only the ASA blocks this traffic.  The firewall on the west coast does not block hairpining like this. 

Sounds like what i want to do is not possible with the ASAs.  So this must be a common problem with people using Meraki's and cisco ASAs. 

It almost sounds like you have a routing loop going on.

In any case, to configure hairpinning on the ASA just add the command you mentioned in your post: same-security-traffic permit intra-interface

But you also need to make sure that the ACLs permit the traffic you want to allow through and that NAT is correctly configure (if this is relevant).

--
Please remember to select a correct answer and rate helpful posts

No routing loop as far as i can see.

Bottom line is how to we allow internal users to access published resouces on the ASA via outside interface.  This means packets would have to traverse inside interface and then come back in the outside interface. 

Where do I place this command?  On the outside interface?  Inside and outside?

Thanks

n_schloemer
Level 1
Level 1

I dont have a complete picture of what your trying to do, and honestly, I think through some other routing and security means we could probably come up with a better solution, however, that being said from what I understand it appears you are trying to hairpin.

If you are attempting to hairpin with an ASA you need to implement a Service-Policy to ignore the TCP state.  This configuration is called a tcp-state-bypass.

policy-map TCP-BYPASS
class TCP-BYPASS
  set connection advanced-options tcp-state-bypass

    set connection random-sequence-number disable

Also, be weary of your NAT configurations

If you get a chance run a debug (CLI/ASDM, doesn't matter) and filter from the src traffic of node on the originating subnet.

Packet-Tracer is also a very powerful tool, if you under stand your traffic patterns through each interface please attempt  to compile this output as well.

This guy explains it a little more elegantly but biscally it is the same thing i want to do except that i am doing this because my internal "guest networks" do not have access to lan. 

http://www.willneumann.net/2009/04/setup-u-turn-hairpinning-on-cisco-asa/

I just need to figure out how to do this using 8.6 code.  This is using old static nat commands.

Thanks

I tried the intructions above and did not work.

To test i published a server using port 80 and then from a different subnet tried to get to the server using its natted public IP (hairpin) and could not get there.  I also tried packet tracer and get green all the way down.

I will open tac case to see if they can help me.  I will post results back here

Are you trying to access the public IP of the published servers? If so, I am assuming you are using a local DNS server?

If this is the case you would need to NAT traffic that is destined for the public IP of the server to the private IP on the inside network.

object network SERVER-PRIVATE-IP

host 192.168.1.10

object network SERVER-PUBLIC-IP

host 3.3.3.3

object network LAN

subnet 192.168.1.0 255.255.255.0

object service PORT

service tcp source 80

nat (inside,inside) source dynamic LAN LAN destination static SERVER-PUBLIC-IP SERVER-PRIVATE-IP service PORT PORT

--
Please remember to select a correct answer and rate helpful posts
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: