cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1869
Views
0
Helpful
4
Replies

ASA 5505 Hairpinning

stevenmorgan
Level 1
Level 1

Greetings,

I have a 5505 running 9.0(3). I need to access a server on the same internal network using the external public IP address. What is the configuration for this? I've searched, but cannot find a config for 9.0.



Sent from Cisco Technical Support iPad App

4 Replies 4

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

It would have been better if you had provided the interface names and some IP addresses to give you an example that can be understood better.

Essentially you need atleast 2 things

  • Enabled a global configuration on the ASA that permits traffic to enter and leave the same interface with the command "same-security-traffic permit intra-interface"
  • Configure NAT for both Source and Destination address

With regards to the NAT configuration, we essentially need to make sure that the ASA forwards any connection coming towards the public IP address from the LAN to the LAN IP address. This alone is not enough though. You will also have to translate the source address on the ASA so that the return traffic will always come back to the ASA from the server.

If you dont do the above the ASA will essentially block the connections towards the public IP address as the TCP connection will never form because of asymmetric routing.

So if we presume the following base information

  • Interface "inside"
  • Network behind "inside" is 10.10.10.0/24
  • Server local IP address is 10.10.10.10
  • Server public IP address is 1.1.1.1

Then you need something like this

object network PUBLIC

host 1.1.1.1

object network LAN

subnet 10.10.10.0 255.255.255.0

object network LOCAL

  host 10.10.10.10

nat (inside,inside) source dynamic LAN interface destination static PUBLIC LOCAL

That should pretty much be it.

Hope this helps

Please do remember to mark a reply as the correct answer if it answered your question.

Feel free to ask more if needed.

- Jouni

Thanks for the reply. Your presumption describes what I am needing to do. My current configuration is as follows however, this is not working. Can you provide some detail to the functionality of your solution and the difference over mine and why it doesn't work. I would like to better understand what is going on.

same-security-traffic permit intra-interface

nat (inside,inside) source static obj_any Net_Pro

("obj_any" is object name referring to outside interface)

("Net_Pro" is object name referring to inside host needing to access)

Hi,

If I dont remember wrong, the name "obj_any" is some default object name the ASDM uses to define all/any address/subnet.

If you mean that the "obj_any" contains the public IP and "Net_Pro" contains the local IP of the server then the order of the object is wrong. But that is not the only problem.

As I mentioned in the above reply, you will have to translate both the source address of the connection (all the users on the LAN) and the destination address of the connection (The server)

Consider the situation where you only NAT the local IP of the server to the public IP from "inside" to "inside".

This is how the traffic would flow

  • User behind "inside" connects to the public IP address
  • Connection/packet arrives on ASA which has the Static NAT for the server
  • ASA forwards the packet to the local IP address of the server after it has UN-NATed the public IP to the local IP
  • At this point NO translation is done for the source address, therefore the server sees the connection coming from a host IP address that is from the same local network as the server is.
  • Server will reply straight to the host that is initiating the connection. In other words, the server will reply to the host with its real IP address even though the user was connecting to the public IP address and is expecting a reply from that IP.

The below examples purpose is to make sure that the above doesnt happen. The below NAT configuration both NATs the source address of the hosts and the destination IP address of the server

When user from the LAN connections to the PUBLIC IP address, then the users will be Dynamic PATed to the ASA "inside" interface IP address. (This will make sure that the server replies back to the ASA as the ASA naturally owns that IP address) The server public IP address will also be UN-NATed to the local IP address.

object network PUBLIC

host 1.1.1.1

object network LAN

subnet 10.10.10.0 255.255.255.0

object network LOCAL

  host 10.10.10.10

nat (inside,inside) source dynamic LAN interface destination static PUBLIC LOCAL

This should enable the connectivity.

Hope this helps

Please do remember to mark a reply as the correct answer if it answered your question.

Feel free to ask more if needed.

- Jouni

Your configuration worked, thanks! It was the asymmetrical routing that was confusing me.

Maybe you can provide some insight to one more thing. Prior to installing the ASA, we were using an RV042. Hopefully you're familiar with it. The functionality of hairpinning worked out of the box with the RV042. Why does the ASA need to be configured to do this?

Review Cisco Networking for a $25 gift card