Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3192
Views
5
Helpful
3
Replies

Cisco ASA U-Turn/Hairpining

RohitSingh98876
Level 1
Level 1

‎08-18-2020 12:38 PM

Hi, 

I am using ASA version 9.13 and have a scenario to allow communication where traffic has to go in and out through same interface.

Example(taking random ips)

We have a private range 172.16.1.0/24 behind firewall, where 172.16.1.2 is web server ip and 172.16.1.3 is proxy server ip.

ASA firewall outside interface as ip - 28.1.1.1/24

Now web server ip - 172.16.1.2 has a destination static nat with ip 28.1.1.2

and proxy server ip - 172.16.1.3 has been source dynamic pat with ASA outside interface ip - 28.1.1.1

 

Now we have already allowed access to web server ip - 172.16.1.2 over internet, and proxy server is also allowed to access any ip over internet and any user from internet when tries to access web server with public ip - 28.1.1.2 is able to access on 443

but proxy server is not able to access the web server using public ip - 28.1.1.2

We want our proxy server to access the web server over internet and not directly using private source and destination ip.

I aware the U-Turn traffic flow/Hair pinning concept will apply here, but I am not sure the exact configuration that can be applied here and need help on that.

 

Thanks.

 

0 Helpful
3 Replies 3

Francesco Molino
VIP Alumni
VIP Alumni

‎08-18-2020 07:56 PM

Hi
To do the hairpin, first you need to make that same-security-traffic permit intra-interface is configured.
Then it should looks like (I'm typing the config through my phone, so sorry in advance for typos):
Let's assume your inside interface is called inside.

object network PROXY_PRIVATE
host 172.16.1.3
!
object network WEB_PRIVATE
host 172.16.1.2
!
object network WEB_PUBLIC
host 28.1.1.2
!
nat (inside, inside) source static PROXY_INTERNAL PROXY_INTERNAL destination static WEB_PUBLIC WEB_PRIVATE


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

RohitSingh98876
Level 1
Level 1
In response to Francesco Molino

‎08-18-2020 09:40 PM

Thanks Francesco for your answer.

-> I still have few queries, in order to make this kind of communication happen is this the recommended way in production environment or there are alternatives ?

-> Also if I do that natting to Proxy_Internal ip then will that have any impact on the existing source dyanmic pat for that ip ?

-> If I allow intra zone traffic then will that make our environment vulnerable with any attach or such so ?

0 Helpful

Francesco Molino
VIP Alumni
VIP Alumni
In response to RohitSingh98876

‎08-19-2020 06:21 PM

1. To do what you want to achieve, yes this is the way to do even in production environment. However, I don't know the reason why you want an internal server to communicate with another internal server using the public IP. This is the real question.

2. No impact with dynamic nat as soon as they are place in the right order and not overlapping with something existing.

3. For sure, enabling intra-zone isn't the best thing but if you have the right policies and not having very wide open acl, you are protecting yourself.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card