Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1124
Views
5
Helpful
2
Replies

Guest Network Hairpin

James Nowotny
Level 1
Level 1

‎12-18-2013 06:03 AM - edited ‎03-11-2019 08:19 PM

I just replaced a Netscreen firewall with an ASA 5515-X.  Everything works, almost!  The Netscreen allowed clients on the guest network to access NATed hosts on the DMZ and inside interfaces, with their Internet addresses. There was nothing special about, it just worked. I think on the ASA I need to setup a hairpin or U-turn to make this work.  I have looked around and not sure I understand it, so I'm asking here.

Here's my config.  No vlans on the ASA just individual interfaces.

outside   #.#.#.#/28              From ISP

inside    10.0.0.0/8               internal DNS

guest    192.168.1.0/24        external DNS 

dmz      192.168.2.0/24        exteranl DNS

What I would like is for any client on the guest network to act as if it was any client on the Internet.  Is this doable? If so what's the best way to do it?

Thanks...Jim

Labels:
0 Helpful
2 Replies 2

Marius Gunnerud
VIP
VIP

‎01-03-2014 05:23 AM

To enable hairpinning it is just one command:

same-security-traffic permit intra-interface

Most often this is used when you have configured subinterfaces on the ASA and traffic is entering and then leaving the same interface.

Keep in mind that the above command just enables hairpinning, you may need more configuration to get traffic to flow.

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni

‎01-03-2014 12:16 PM

Hello James,

So you have 4 different interfaces, no U-turn here then

You want the Guest users to access the Inside and DMZ servers by their public IP address.

All you need is

object network Real-Inside_Server

host 10.0.0.9

Object network Public_Inside_Server

host 4.2.2.2

nat (inside,guest) 1 source static Real-Inside_Server Public_Inside_Server

And of course configure an ACL on the guest interface to allow access to the 10.0.0.9 host.

Looking for some Networking Assistance? 
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card