cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1683
Views
0
Helpful
4
Replies

ASA 8.0 Hairpin ASDM

Edrick Smith
Level 1
Level 1

I need to configure a ASA so that traffic for a internal server say 192.168.1.250 port 8801 can be accessed using the public IP. I want only specifically the ports needed to be routed to this internal server address. If I add a static NAT route in the ASDM that doesn't specify any PAT then it works, but it routes all ports when using the external IP internally. As soon as I enable the PAT setting and specify the TCP port it no longer works. 

4 Replies 4

Aditya Ganjoo
Cisco Employee
Cisco Employee

Hi Edrick,

Can you share the config snippet ?

You just need to have a static PAT statement :

static( inside,outside) tcp 1.1.1.1 9999 192.168.1.250 8081

This statement would only use the port 8081 and in addition to this you need to open an access-rule on the outside for the public IP on port 8081.

Regards,

Aditya

Please rate helpful posts and mark correct answers.

Hi,

The interface would need to be inside, inside would it not?

We're trying to access a server on the internal network but use the public IP address. So hairpin, the ASA needs to take the traffic say from the LAN Network on a device which is accessing a server on that LAN but via the public IP address.

So 192.168.1.100 (Client) is accessing 192.168.1.200:8801 on the public IP of say 64.25.24.12:8801 both the client and server are on the same LAN, but must be accessed via the public IP and Split DNS isn't an option.

The NAT Route works as long as I don't specify PAT forwarding, when I create the rule in ASDM Configuration > Firewall > NAT Rules > Add

Original: Interface inside
Source: 192.168.5.250 (Server IP)

Translate: Interface inside
Use IP Address: 75.75.75.75 (Example Public IP)

Then select ok, it forwards all traffic internally that you use the Public IP for to the server no problem. But I don't want it to forward all local traffic, only traffic on the specific port 8801. If there's no other rule setup for another port then it shouldn't hairpin it.

However if on that same rule I tell it to do PAT and give it the TCP ports and apply it, it no longer works.

Hi Edrick,

Please use the following config:

static (inside,inside) tcp <public> <port> <web server private IP> <port>

and also same-security-traffic permit intra-interface

Regards,

Aditya

Please rate helpful posts and mark correct answers.

I believe this would do the same as what I mentioned in ASDM? It seems if you don't specify a port when doing the setting in ASDM it works but as soon as you do it by specifying a port it doesn't work. Would there be an ACL or something preventing it from working when you specify a port vs just having it forward all traffic?

Review Cisco Networking for a $25 gift card