cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1324
Views
0
Helpful
3
Replies

Hairpin Traffich through different interface?

Eric Snijders
Level 1
Level 1

Hi all,

I think i have a simple question but i have no solution for it. Imagine the following topology:

4tQjlJ9

I've left out all the unimportant stuff.

Now basically what my question is: is there any way i can make SERVER01 ingress at Gi0/1 (Customer interface) without messing around with the physical connections?

Why? Server01 will be running vulnerability scanning software, but we want to scan from Customers perspective and Server01 in this case will be running in the Cloud. The best situation will be if Server01 ingresses at Gi0/1 since that ACL will be applied. I want to prevent to make double ACL's since the "effect" of vulnerability scanning will be lost if i manually need to (re)create the same ACL as Gi0/1. And in this case i can't just apply the Gi0/1 ACL to Gi0/0 as well since there is a lot more stuff coming from the cloud.

1 Accepted Solution

Accepted Solutions

Marvin Rhoads
Hall of Fame
Hall of Fame

Short answer: No.

When the server traffic ingresses, the ASA will lookup the egress interface based on the routing table and (possibly) and NAT override. You could put in a NAT rule to make the server seem like it's on the customer network but that won't make it hit the inbound ACL on Gi0/1.

View solution in original post

3 Replies 3

Marvin Rhoads
Hall of Fame
Hall of Fame

Short answer: No.

When the server traffic ingresses, the ASA will lookup the egress interface based on the routing table and (possibly) and NAT override. You could put in a NAT rule to make the server seem like it's on the customer network but that won't make it hit the inbound ACL on Gi0/1.

Hi Marvin,

Thanks for the response. I was already afraid of that answer but it is what it is.
Do you perhaps have a suggestion if we would want to perform a vulnerability scan of some sort from customers perspective, but where it's kind of complicated to connect a machine from the customers side.

Basically the only thing i want to avoid is to seperately build 2 ACL's. Not that i'm lazy, but to completely "trust" the outcome of a vulnerability scanning report. I'm not really sure how to deal with this.

If you could insert a small switch between your ASA and the customer(s) you could plug your scanning tool into that.

Or if the ASA in question was a 5506 with bridge-group interface support then you could make the customer and scanning server interfaces part of the same bridge-group. 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: