NAT HAIRPIN on ASA

aditiacipta1 · ‎02-23-2017

hello everyone,

i have some problem for NAT Hairpinning.

so, i have some simple topology on the bellow.

i want to ping NAT IP Public (12.13.14.15) from host (10.11.12.13) on the inside interface, but still not working

Host
10.11.12.13/24 ---------------------------

|

(Inside Interface) ASA01 <-------PRODINT----> ASA02 -----> OUTSIDE

|

10.11.12.15/25 (12.13.14.15) ----------

Server

I have some configurasi for ASA02 :

same-security-traffic permit intra-interface

access-list acl-prodint extended permit any any ICMP

access-list acl-outside extended permit any any ICMP

static (prodint,outside) 12.13.14.15 10.11.12.15

static (prodint,prodint) 12.13.14.15 10.11.12.15

on the asa01 we open any any

but the host still can not ping the public ip server.

could you please help my problem

Marius Gunnerud · ‎02-23-2017

10.11.12.15/25 (12.13.14.15) ----------

is the /25 a typo? you indicate /24 on your other inside IP. just curious.

But you problem here is most likely asynchronous routing. I would assume that if you look at the ASA logs or even setup a capture you will see traffic going in one direction but nothing coming back, or perhaps in the syslog you will see a drop due to no connection. This is because you are sending traffic to the 12.13.14.15 IP, the ASA sends it back to 10.11.12.15 but still with a source IP of 10.11.12.13. 10.11.12.15 sees that it is on the same network as 10.11.12.13 and sends the traffic directly to the host with a source IP of 10.11.12.15.

You could mitigate this in version 8.3 and later where you can NAT both source and destination IPs. however you are not able to do this in 8.2 and earlier.

What you want to do on your ASA running 8.2 or earlier is not possible.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts