cancel
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
67174
Views
16
Helpful
9
Replies

Nat Hairpin

pavlosd
Level 2
Level 2

Does Cisco ASA or Cisco IOS support NAT hairpin  (a.k.a. NAT loopback / NAT inside-to-inside)?

I was looking at some alternatives and one way is to use internal DNS, which in the specific case is not applicable, so if such a feature exists, would be helpful.

More info on NAT Hairpin.... http://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_7-3/anatomy.html

9 Replies 9

Kureli Sankar
Cisco Employee
Cisco Employee

Yes there is. This wasn't in the old PIX 6.x code but is there in 7.x and above.

In addition to static (inside,inside) x.x.x.x x.x.x.x you also need this command

same-security-traffic permit intra-interface to U-Turn the traffic off the same interface it was received on.

Pls. refer here:

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/s1.html#wp1392814

-KS

Panos Kampanakis
Cisco Employee
Cisco Employee

It is not recommended but it can work.

On the ASA you will need identity statics "static(inside,inside) xxx xxx" and the command "same-security-traffic permit intra-interface".

Please be careful with asymmetric routing situations (computer sending to ASA, ASA hair pinning but return traffic going from computer to computer not through the ASA)

PK

Joe B Danford
Cisco Employee
Cisco Employee

You can nat for traffic entering and leaving out the same interface using statics and nat statements.

Something liek this should work

                                  |--- Server A 192.168.0.11 (10.1.119.198)
                                  |   
Internet <----> ASA <--- |
                                  |
                                  |--- Host A 192.168.0.1


static (inside,outside) 10.1.119.198 192.168.0.11
static (inside,inside) 10.1.119.198 192.168.0.11
same-security-traffic permit intra-interface

access-list acl_outside extended permit icmp any any
access-list acl_inside extended permit icmp any any
access-group acl_outside in interface outside
access-group acl_inside in interface inside

From inside host 192.168.0.1

Router#ping 10.1.119.198 rep 100000

Type escape sequence to abort.
Sending 100000, 100-byte ICMP Echos to 10.1.119.198, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

From Outside Host

C:\Documents and Settings\joedanfo>ping 10.1.119.198 -t

Pinging 10.1.119.198 with 32 bytes of data:

Reply from 10.1.119.198: bytes=32 time=12ms TTL=252

Hello,

Hairpin NAT is totally supported on ASA with of course the same-security-traffic command. For e.g you would like all your internal USERS  to acess an INTERNAL website with its EXTERNAL IP, then you can do a static (in,in) netmask 255.255.255.255.

In most cases, where you would like to do such kind of Hairpinning, you need to be mindful of the ASYMMETRIC ROUTING issues. But we have workarounds for them as well..

Thanks,

Vijaya

Although not applicable in my case, for academic couriosity how will you fix assymetric routing if it exists?

Well there are 2 ways to fix such kind of asymmetric routing:

1) Have the ASA proxy for both the destination and source ip. That would mean having 2 identity static for the source and destination. That could cause other problems though ASA the ASA is proxying for ip addresses that are not his and belong to another machine in the same subnet.

2) Use tcp state bypass (introduced in 8.2). The ASA will not check if the TCP stat of the packets is honored so it will let them through.

I hope it helps.

PK

Is this applicable when using PAT as well? In our case we have a public address (not the outside interface address) that is used with static commands to redirect traffic to various internal servers. i.e.

static (inside,outside) tcp 192.168.96.149 www 10.10.10.25 8020 netmask 255.255.255.255
static (inside,outside) tcp 192.168.96.149 88 10.10.10.26 8030 netmask 255.255.255.255
static (inside,outside) tcp 192.168.96.149 https 10.10.10.25 8023 netmask 255.255.255.255

Regards.

From what you are telling me this is not hairpin this is regular PAT and it should work.

PK

vilaxmi
Cisco Employee
Cisco Employee

So, you are running into assymetric routing issues in your network, where you can ONLY establish successful UDP/Stateless communication from one inside subnet to another  and NOT TCP/Stateful communications.

There are three workarounds in such scenarios :

1. Easiest is to use the new tcp-state-bypass mechnaism in the 8.1(x) code. But you need to upgrade you can also use our firewall to use it as you are at 7.2 now.

Here is  a link to help you :

http://cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_tcpstatebypass.html

Scene 1 : when all the users in both subnets behind your firewall HAVE THEIR DEFAULT GATEWAY SET AS INSIDE IP OF FIREWALL.

2. You can  use nat (inside) 1 0 0 and global (inside) 1 interface and then use

static (inside,inside) x.x.x.0 y.y.y.0 netmask 255.255.255.0

static (inside,inside)  y.y.y.0 x.x.x.0 netmask 255.255.255.0

Where x.x.x.0 is one of the inside subnets and y.y.y.0 is another inside subnet.

In this wrorkaround, you may be able to open connections only one way, i.e. from x.x.x.0 to y.y.y.0. and not vice versa.

Scene 1 : when all the users in both subnets behind your firewall HAVE THEIR DEFAULT GATEWAY SET AS ROUTER's IP address.

3. Here you can let the inter subnet routing being taken care of by the router and then set a default route on router which points to ASA's inside ifc.

This will make sure that all internet traffic of all inside subnets go THROUGH the firewall, and as long as TWO WAY inter subnet communication is concerned, router will take care of it just fine.

HTH

Vijaya

Review Cisco Networking for a $25 gift card