Showing results for 
Search instead for 
Did you mean: 

ASA 5510 Hairpin/U-Turn Traffic to escape tunnel to public internet

Level 1
Level 1

I have an interesting request from a remote-site not wanting to allow access to a public facing IP.  We have a tunnel between their ASA & ours which hairpins traffic to 2 networks out the outside interface.

(IPs have been changed to protect the innocent)

From the remote-site perspective, they are pointing a host to &, then NATing on the edge of their tunnel to destinations & (to keep everything pointed to private IPs).

Our outside interface has a private IP on the 172.16.0.x/24 network. is the real IP of SERVER1 is an unused dummy IP on the same subnet, & is only used to NAT to the public I'll refer to as


All traffic is initiated from the client's private network, so I would think the stateful TCP connections should allow this to work, & I was able to prove this works in my ASA lab with a simple hairpin nat, but it doesn't seem to be working on the real network with a tunnel involved.  Is there something I'm missing that I need to do to allow this to work?  Packet-tracer shows the NATing is working as expected, but it claims a deny at the end of the hairpin because it's no longer tunneled traffic once it's headed for the public internet.  I've seen in other forums that this is a normal limitation to the packet-tracer tool in regards to tunneled traffic.


I have same-security-traffic permit inter/intra-interface enabled.  Either one of my nat statements "should" work, but it doesn't seem to be doing the trick.


I've included a generic firewall in the drawing to show our public IP for the L2L tunnel is passed through another firewall to us, & that this firewall has the network connected to it.


What am I missing to make this work as desired?






 (EDIT/update with details on my ASA)


object network PRIV-IP

object network PUB-IP
object network REMOTE-HOST

object network REMOTE-HOST2



object-group network REMOTE-SITE

 network-object object REMOTE-HOST

 network-object object REMOTE-HOST2


access-list TUNNEL-ACL extended permit ip object SERVER1 object-group REMOTE-SITE
access-list TUNNEL-ACL extended permit ip object PRIV-IP object-group REMOTE-SITE
crypto map outside_map 10 match address TUNNEL-ACL


nat (outside,outside) source static REMOTE-HOST REMOTE-HOST destination static PRIV-IP PUB-IP
[should also work?] nat (outside,outside) source dynamic REMOTE-HOST interface destination static PRIV-IP PUB-IP


object network REMOTE-HOST

 nat (outside,outside) dynamic interface

object network REMOTE-HOST2

 nat (outside,outside) dynamic interface

5 Replies 5

Are you NATing at both firewalls? to and then again to

Please remember to select a correct answer and rate helpful posts


 Updated original post with more details, but here's the essential nat flow: > (tunnel) >

Can you add route-lookup at the end of the nat statement?

No, it will not accept that command.  I think I can only use that if I'm keeping the NATs the same on the statement.


Sorry for the delay- I was waiting on feedback if I could have the remote ASA NAT to the real IP before the tunnel but was just denied, so I'm back to trying to making this thrice-nat thing work again.


I ended up routing this traffic Inside instead of haripinning.  Funny thing is it still didn't work until I removed the network objects referenced in the NAT statement & added them back.  Since that fixed it, I didn't care to try it with the hairpin again to see if that was really all I needed to do.

Review Cisco Networking for a $25 gift card