Solved: Re: ASA 8.3 NAT hairpinning not working, packet trace included

Roger Vetterberg · ‎03-02-2011

Hi.

I have a ASA 5505 in front of a server answering on https.

I have forwarded port 443 on the external interface to the internal IP of the server, which works fine from the outside.

The problem is that the clients on the inside can not access the external address of the ASA, which should be solved by hairpinning.

However, I cant get it to work.

Scenario:

ASA 5505, external interface 10.1.1.1, port 443 redirected to 192.168.142.10:443

Internal server, ip 192.168.142.10

Internal client, ip 192.168.142.11

ASA config:

object network hnk-dc1-OWA-internal
nat (inside,inside) static 10.1.1.1 service tcp https https

When running wireshard on the server I see the following when internal clients attempts to connect to 10.1.1.1:443:

16840 111.575647 192.168.142.11 192.168.142.10 TCP 51051 > https [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=8 SACK_PERM=1

16841    111.575694    192.168.142.10    192.168.142.11    TCP    https > 51051 [SYN, ACK] Seq=0 Ack=1 Win=8192 Len=0 MSS=1460 SACK_PERM=1
16842    111.576055    192.168.142.11    192.168.142.10    TCP    51051 > https [ACK] Seq=1 Ack=1 Win=64240 Len=0
16843    111.576438    192.168.142.11    192.168.142.10    TLSv1    Client Hello
16847    111.577655    192.168.142.11    192.168.142.10    TCP    [TCP ACKed lost segment] 51051 > https [ACK] Seq=122 Ack=4621 Win=64240 Len=0

Why the lost segment? Any ideas?

tj.mitchell · ‎03-03-2011

Something like this:

object network 192.168.142_inside

subnet 192.168.142.0 255.255.255.0

nat (inside,inside) dynamic interface

would give that a shot.. Just remember that this will nat all traffic that hairpins through the firewall from the internal network to the internal network. Also, might need the commands "same-security-traffic permit inter-interface" "same-security-traffic permit intra-interface" because your going in and out the same interface.

View solution in original post

tj.mitchell · ‎03-02-2011

Just a thought, since the server and the user are on the same segment (192.168.142.x network). The traffic initially goes directly to the ASA then around to the server, the server then since it's on the same segment sends it directly to the user. The user then is trying to talk with 10.1.1.1 not 192.168.142.10. The server on the other hand is trying to talk to 192.168.142.11.

Make sense?? What if you source NATted the user to ensure that traffic is sent back to the firewall to provide for the proper traffic pattern.

Just a thought and I could be way off base..

Roger Vetterberg · ‎03-03-2011

I have had exactly the same idea, but I'm not really sure how to solve it.

Some kind of source NAT as you say, but NAT to what? The internal address of the ASA?

tj.mitchell · ‎03-03-2011

Something like this:

object network 192.168.142_inside

subnet 192.168.142.0 255.255.255.0

nat (inside,inside) dynamic interface

would give that a shot.. Just remember that this will nat all traffic that hairpins through the firewall from the internal network to the internal network. Also, might need the commands "same-security-traffic permit inter-interface" "same-security-traffic permit intra-interface" because your going in and out the same interface.

Roger Vetterberg · ‎03-03-2011

That actually seems to work perfectly.

Now to some tweaking, its actually just tcp/443 I want to NAT this way, but I think I can figure out a way to solve that myself.

Thanks for all your help!