ā01-07-2010 01:20 AM - edited ā03-11-2019 09:54 AM
Does Cisco ASA or Cisco IOS support NAT hairpin (a.k.a. NAT loopback / NAT inside-to-inside)?
I was looking at some alternatives and one way is to use internal DNS, which in the specific case is not applicable, so if such a feature exists, would be helpful.
More info on NAT Hairpin.... http://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_7-3/anatomy.html
ā01-07-2010 06:56 AM
Yes there is. This wasn't in the old PIX 6.x code but is there in 7.x and above.
In addition to static (inside,inside) x.x.x.x x.x.x.x you also need this command
same-security-traffic permit intra-interface to U-Turn the traffic off the same interface it was received on.
Pls. refer here:
http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/s1.html#wp1392814
-KS
ā01-07-2010 07:04 AM
It is not recommended but it can work.
On the ASA you will need identity statics "static(inside,inside) xxx xxx" and the command "same-security-traffic permit intra-interface".
Please be careful with asymmetric routing situations (computer sending to ASA, ASA hair pinning but return traffic going from computer to computer not through the ASA)
PK
ā01-07-2010 07:12 AM
You can nat for traffic entering and leaving out the same interface using statics and nat statements.
Something liek this should work
|--- Server A 192.168.0.11 (10.1.119.198)
|
Internet <----> ASA <--- |
|
|--- Host A 192.168.0.1
static (inside,outside) 10.1.119.198 192.168.0.11
static (inside,inside) 10.1.119.198 192.168.0.11
same-security-traffic permit intra-interface
access-list acl_outside extended permit icmp any any
access-list acl_inside extended permit icmp any any
access-group acl_outside in interface outside
access-group acl_inside in interface inside
From inside host 192.168.0.1
Router#ping 10.1.119.198 rep 100000
Type escape sequence to abort.
Sending 100000, 100-byte ICMP Echos to 10.1.119.198, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
From Outside Host
C:\Documents and Settings\joedanfo>ping 10.1.119.198 -t
Pinging 10.1.119.198 with 32 bytes of data:
Reply from 10.1.119.198: bytes=32 time=12ms TTL=252
ā01-07-2010 08:12 AM
Hello,
Hairpin NAT is totally supported on ASA with of course the same-security-traffic command. For e.g you would like all your internal USERS to acess an INTERNAL website with its EXTERNAL IP, then you can do a static (in,in)
In most cases, where you would like to do such kind of Hairpinning, you need to be mindful of the ASYMMETRIC ROUTING issues. But we have workarounds for them as well..
Thanks,
Vijaya
ā01-07-2010 09:55 PM
Although not applicable in my case, for academic couriosity how will you fix assymetric routing if it exists?
ā01-08-2010 06:42 AM
Well there are 2 ways to fix such kind of asymmetric routing:
1) Have the ASA proxy for both the destination and source ip. That would mean having 2 identity static for the source and destination. That could cause other problems though ASA the ASA is proxying for ip addresses that are not his and belong to another machine in the same subnet.
2) Use tcp state bypass (introduced in 8.2). The ASA will not check if the TCP stat of the packets is honored so it will let them through.
I hope it helps.
PK
ā01-07-2010 09:53 PM
Is this applicable when using PAT as well? In our case we have a public address (not the outside interface address) that is used with static commands to redirect traffic to various internal servers. i.e.
static (inside,outside) tcp 192.168.96.149 www 10.10.10.25 8020 netmask 255.255.255.255
static (inside,outside) tcp 192.168.96.149 88 10.10.10.26 8030 netmask 255.255.255.255
static (inside,outside) tcp 192.168.96.149 https 10.10.10.25 8023 netmask 255.255.255.255
Regards.
ā01-08-2010 06:43 AM
From what you are telling me this is not hairpin this is regular PAT and it should work.
PK
ā01-09-2010 12:48 PM
So, you are running into assymetric routing issues in your network, where you can ONLY establish successful UDP/Stateless communication from one inside subnet to another and NOT TCP/Stateful communications.
There are three workarounds in such scenarios :
1. Easiest is to use the new tcp-state-bypass mechnaism in the 8.1(x) code. But you need to upgrade you can also use our firewall to use it as you are at 7.2 now.
Here is a link to help you :
http://cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_tcpstatebypass.html
Scene 1 : when all the users in both subnets behind your firewall HAVE THEIR DEFAULT GATEWAY SET AS INSIDE IP OF FIREWALL.
2. You can use nat (inside) 1 0 0 and global (inside) 1 interface and then use
static (inside,inside) x.x.x.0 y.y.y.0 netmask 255.255.255.0
static (inside,inside) y.y.y.0 x.x.x.0 netmask 255.255.255.0
Where x.x.x.0 is one of the inside subnets and y.y.y.0 is another inside subnet.
In this wrorkaround, you may be able to open connections only one way, i.e. from x.x.x.0 to y.y.y.0. and not vice versa.
Scene 1 : when all the users in both subnets behind your firewall HAVE THEIR DEFAULT GATEWAY SET AS ROUTER's IP address.
3. Here you can let the inter subnet routing being taken care of by the router and then set a default route on router which points to ASA's inside ifc.
This will make sure that all internet traffic of all inside subnets go THROUGH the firewall, and as long as TWO WAY inter subnet communication is concerned, router will take care of it just fine.
HTH
Vijaya
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide