Having issue with connecting to device (NVR) on same inside interface using external IP address - Hairpin - Loopback Routing
I'm trying to configure an ASA 5506 (ver. 9.8.1) to allow a device on the inside interface (smartphone connected to local network via wi-fi) to access an NVR (network video recorder) that is also on the same inside interface, however, I would like to accomplish this by using the outside interface address.
Currently I have NAT & ACL setup to allow a user that is off-site (over the internet) to connect to the NVR using the outside IP address that is nat'd to the inside address of the NVR; it is working great. My problem is when a user is on-site and connected to the wi-fi, the smartphone app (configured with the outside IP address) will not connect to the NVR on the same inside interface using the outside IP address.
Side note: The current NAT (inside, outside) rule is configured to use TCP port 8000 (port 8000 is an example, actual port is different).
Also, I have enabled same-security-traffic permit intra-interface as well as same-security-traffic permit inter-interface.
When the user is connected to the inside network via local wi-fi, and I insert theinternalIP address of the NVR into the smartphone app, it obviously works. Simple enough, however, my customer does not understand networks and they expect to be able to open the smartphone app and pull up the cameras whether they are connected to the local wi-fi, or when they are halfway around the world on business. I could setup two connections in the smartphone app (local cameras & remote cameras), but I need it to pull up the cameras using only theoutsideIP address regardless of whether the user is connected to the inside interface orthey are connecting from the outside world thru the outside interface.
I have successfully set this up in the past on a Cisco ASA 5505 using nat (inside, inside) and it worked great. I've also heard of this being referred to as hairpin or loopback routing.
Can someone give me a configuration example of how to make this work? Thanks in advance!
Multiple Cisco Security Technologies in a single book : ASA Firepower, WSA, Umbrella, ISE and VPN with 100 percent 100 practical scenarios with 70 Labs to cover important topics of the Cisco SCOR Exam. The best part is ISE with interesting scenarios wi...
Cisco Umbrella is a big DNS service that provides not only the DNS resolution but also if the hosted website is trust or malicious, the idea behind the Layer DNS Security is that the modern attacks uses the DNS in the first step either to redirect the use...
I shared with you this detailed document I created with 27 pages about Cisco ISE Integration With F5 BIG-IP Locar Traffic Manager LTM Load Balancer for Guest Acces.
The method used for Guest Access is the Self-Registration.
Healt Monitor using HTTP...
I created an IPSEC Site to site Tunnel between two ASA Firewalls in EVE-NG topology and i want to plot the IPSEC Site to Site VPN graph on PRTG ? The SNMP Walk command is not getting any output . As the firewall is making SNMP inbound connections with the...
The purpose of this document is to demonstrate how ISE can integrate with an eduroam external server which is a WI-Fi roaming service that provides international access to devices in education, research, and higher education. Students, teachers, and resea...