cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
466
Views
0
Helpful
1
Replies

Having issue with connecting to device (NVR) on same inside interface using external IP address - Hairpin - Loopback Routing

TechnoMo816
Level 1
Level 1

I'm trying to configure an ASA 5506 (ver. 9.8.1) to allow a device on the inside interface (smartphone connected to local network via wi-fi) to access an NVR (network video recorder) that is also on the same inside interface, however, I would like to accomplish this by using the outside interface address.

 

Currently I have NAT & ACL setup to allow a user that is off-site (over the internet) to connect to the NVR using the outside IP address that is nat'd to the inside address of the NVR; it is working great. My problem is when a user is on-site and connected to the wi-fi, the smartphone app (configured with the outside IP address) will not connect to the NVR on the same inside interface using the outside IP address.

 

Side note: The current NAT (inside, outside) rule is configured to use TCP port 8000 (port 8000 is an example, actual port is different).

 

Also, I have enabled same-security-traffic permit intra-interface as well as same-security-traffic permit inter-interface.

 

When the user is connected to the inside network via local wi-fi, and I insert the internal IP address of the NVR into the smartphone app, it obviously works. Simple enough, however, my customer does not understand networks and they expect to be able to open the smartphone app and pull up the cameras whether they are connected to the local wi-fi, or when they are halfway around the world on business. I could setup two connections in the smartphone app (local cameras & remote cameras), but I need it to pull up the cameras using only the outside IP address regardless of whether the user is connected to the inside interface orthey are connecting from the outside world thru the outside interface.

 

I have successfully set this up in the past on a Cisco ASA 5505 using nat (inside, inside) and it worked great. I've also heard of this being referred to as hairpin or loopback routing.

 

Can someone give me a configuration example of how to make this work? Thanks in advance!

1 Reply 1

Bogdan Nita
VIP Alumni
VIP Alumni

Hi @TechnoMo816,

There are 2 possible solutions to your problem:

- DNS-doctoring

- U-turn (also called hairpin) NAT

https://supportforums.cisco.com/t5/security-documents/dns-doctoring-and-u-turning-on-the-asa-quot-when-and-how-to-use/ta-p/3153693

Both of them should work on 9.8, but if you still can't get it to work, it would help if you could share the config.

 

HTH

Bogdan

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: