Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1130
Views
0
Helpful
1
Replies

Hairpin Static NAT

chevymannie
Level 1
Level 1

‎08-15-2013 02:35 PM - edited ‎03-11-2019 07:26 PM

I created a hairpin NAT statement on an ASA so that users can access an internal website using it's external IP address.  I'm able to ping the site from the workstations without a problem, but I'm unable to pull up the site.  It works fine externally.  Anyone run into a similar issue?  Running 8.2(5).

Labels:
0 Helpful
1 Reply 1

Jouni Forss
VIP Alumni
VIP Alumni

‎08-15-2013 02:55 PM

Hi,

You are most probably lacking a translation for the source address while you have the translation for the destination address.

What I mean is that the connection currently goes like this

  • Host connects to server public
  • Connection reaches ASA
  • ASA untranslates the destination address to the real IP address
  • The server sees the connection coming from a local IP address
  • The server replies to that local IP address directly wihtout sending the traffic to ASA (as it sees the source host in the same network)
  • Connection gets stuck because the traffic doesn flow correctly

So lets use these examples information to configure the correct translation

  • Local network 10.10.10.0/24
  • Server 10.10.10.10
  • Public IP address 1.1.1.1
  • Interfaces called "inside" and "outside"

Default Dynamic PAT for outbound

global (outside) 1 interface

nat (inside) 1 10.10.10.0 255.255.255.0

Static NAT outbound

static (inside,outside) 1.1.1.1 10.10.10.10 netmask 255.255.255.255

Static NAT for local traffic

static (inside,inside) 1.1.1.1 10.10.10.10 netmask 255.255.255.255

So you probably have all the above things in a similiar form already on the ASA.

What you need to add is this

global (inside) 1 interface

This  (together with the earlier "nat" command) will translated the users source address while connecting the server with the public IP address. Because we translate the users to ASAs "inside" interface IP address this means that ASA will see all the packets related to the connection and the connection should work.

Hope this helps

Please do remember to mark a reply as the correct answer if it answered your question.

Feel free to ask more if needed.

- Jouni

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card