cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2521
Views
0
Helpful
21
Replies

Hairpinning?

Computerwiz24
Level 1
Level 1

Hello,

I have a Cisco ASA 5505 Firewall I need some help with.  I have 2 cameras set up on my inside network that I need access to from my outside network. I setup the NAT rules from outside to inside along with the access list to allow traffic. Everything works fine as long as I'm not on my internal network. When I'm on my internal work it doesn't work. I need to set it up so I can use my external IP for both internal and external use. Doing some research I think I need to use hairpinning? I have tried setting it up but not having much luck. Can someone help me with the config needed for hairpinning?  I can post my config if needed.  Thank you for any help on this issue.

1 Accepted Solution

Accepted Solutions

Yes, and since you need access on 2 destination ports, you can 2 of these statements with 2 different port numbers - one real and other mapped.

nat (inside,inside) source dynamic any interface destination static obj-map obj-real service MAPPED_port REAL_port

nat (inside,inside) source dynamic any interface destination static obj-map obj-real service MAPPED_port1 REAL_port1

'any' will be your inside network 192.168.1.0/x

obj-real = 192.168.1.200

obj-map = x.x.x.x

MAPPED_port = first mapped port on which access is needed

MAPPED_port1 = second port on which access is needed

REAL_port1 - is the actual port on which server is listening

If you dont have a second destination port, you can just add one statement.

HTH

-

AJ

View solution in original post

21 Replies 21

Aditya Ganjoo
Cisco Employee
Cisco Employee

Hi,

Are you using same-security-traffic permit intra-interface command on the ASA ?

Also please share the config snippet that you have used for the hairpinning ?

Please share the packet tracer output for the inside traffic as well.

Regards,

Aditya

Please rate helpful posts and mark correct answers.

I do have same-security-traffic permit intra-interface enabled on the ASA. I deleted my hairpinning config to start over. Do I need a route from inside to inside? Also do I need a NAT statement to pass hairpinning traffic?  Attached is my running config.  Thank you

Hi,

Please share the output of packet tracer output for the concerned traffic.

Regards,

Aditya

Please rate helpful posts and mark correct answers.

Attached is the packet tracer output      Thank you

Hi,

It gives an ACL drop but you already have enabled same-security command.

So could you check if you have a NAT statement configured for the traffic.

Regards,

Aditya

Please rate helpful posts and mark correct answers.

I have NAT Rule set up but I don't know I have it correct.  I attached my running config

Thank you

Don't have any config to take a look at, but you could try editing your hairpin NAT rule:

nat (inside,inside) source static <inside_client_ip> <inside_client_ip> destination static <outside_camera_ip> <inside_camera_ip>

niko,

Can i use <any> for my client IP? I want any inside address to be able to access cameras. i can attach my running config if that helps?

Thank you

So i got part of it figured it I have one camera working but the other still doesn't work. I think the reason is i have to use <any> Service to get it to work. Since i have to use my outside interface for the destination on both Im thinking the service port will determine which NAT rule to use.With <any> service port  the first NAT rule accepts and it never makes it to the next rule. therefore the 2nd camera never gets permitted.I change the order of the NAT rules and the other camera starts working.  If i change the service to the port I'm using instead of <any> the camera quits working. Any idea what causes this?

Can you please share the 2 NAT statements that you add when using 'port' instead of 'any' in (inside,inside) nat statement. Also, please attach the syslogs you see when none of the camera works.

We have to use port based NAT statement coz if we use 'any', as you correctly figured out, only first nat will be honored and second will never be matched. 

Also, I would recommend using PATing the inside user to inside interface ip address so that reply packet comes to ASA interace and the traffic flow is symmetric. 

something like below:

nat (inside,inside) source static <inside_client_ip> <inside interace ip> ...*************

-

AJ

Linkin.24

Is this what you need to see?

These are the NAT statements I have when neither camera works

See Attached

  

If I change it to what's shown in this screen shot attached one camera will work

Thank you

Hello,

The screenshot didn't help much. I am used to CLI anyways.. Could you please have 2 NAT statements as below:

nat (inside,inside) source dynamic any interface destination static obj-map obj-real service MAPPED_port REAL_port

nat (inside,inside) source dynamic any interface destination static obj-map obj-real service MAPPED_port1 REAL_port1

Add this for 2 different destination ports as requirement. you can follow the below doc which has the same example:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa83/configuration/guide/config/nat_rules.html

Remember, the only way it can work is to make either of the things unique - source address, dest addr or source port or dest port. Unfortunately, the only thing we can utilize is dest port. Please try in a maintenace window and let us know if it works.

-

AJ

AJ,

I don't quite understand the twice NAT? Can you explain and post an example?

Thank you

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: