Showing results for 
Search instead for 
Did you mean: 


Nat Hairpin

Does Cisco ASA or Cisco IOS support NAT hairpin  (a.k.a. NAT loopback / NAT inside-to-inside)?

I was looking at some alternatives and one way is to use internal DNS, which in the specific case is not applicable, so if such a feature exists, would be helpful.

More info on NAT Hairpin....

Kureli Sankar
Cisco Employee

Yes there is. This wasn't in the old PIX 6.x code but is there in 7.x and above.

In addition to static (inside,inside) x.x.x.x x.x.x.x you also need this command

same-security-traffic permit intra-interface to U-Turn the traffic off the same interface it was received on.

Pls. refer here:


Panos Kampanakis
Cisco Employee

It is not recommended but it can work.

On the ASA you will need identity statics "static(inside,inside) xxx xxx" and the command "same-security-traffic permit intra-interface".

Please be careful with asymmetric routing situations (computer sending to ASA, ASA hair pinning but return traffic going from computer to computer not through the ASA)


Joe B Danford
Cisco Employee

You can nat for traffic entering and leaving out the same interface using statics and nat statements.

Something liek this should work

                                  |--- Server A (
Internet <----> ASA <--- |
                                  |--- Host A

static (inside,outside)
static (inside,inside)
same-security-traffic permit intra-interface

access-list acl_outside extended permit icmp any any
access-list acl_inside extended permit icmp any any
access-group acl_outside in interface outside
access-group acl_inside in interface inside

From inside host

Router#ping rep 100000

Type escape sequence to abort.
Sending 100000, 100-byte ICMP Echos to, timeout is 2 seconds:

From Outside Host

C:\Documents and Settings\joedanfo>ping -t

Pinging with 32 bytes of data:

Reply from bytes=32 time=12ms TTL=252


Hairpin NAT is totally supported on ASA with of course the same-security-traffic command. For e.g you would like all your internal USERS  to acess an INTERNAL website with its EXTERNAL IP, then you can do a static (in,in) netmask

In most cases, where you would like to do such kind of Hairpinning, you need to be mindful of the ASYMMETRIC ROUTING issues. But we have workarounds for them as well..



Although not applicable in my case, for academic couriosity how will you fix assymetric routing if it exists?

Well there are 2 ways to fix such kind of asymmetric routing:

1) Have the ASA proxy for both the destination and source ip. That would mean having 2 identity static for the source and destination. That could cause other problems though ASA the ASA is proxying for ip addresses that are not his and belong to another machine in the same subnet.

2) Use tcp state bypass (introduced in 8.2). The ASA will not check if the TCP stat of the packets is honored so it will let them through.

I hope it helps.


Is this applicable when using PAT as well? In our case we have a public address (not the outside interface address) that is used with static commands to redirect traffic to various internal servers. i.e.

static (inside,outside) tcp www 8020 netmask
static (inside,outside) tcp 88 8030 netmask
static (inside,outside) tcp https 8023 netmask


From what you are telling me this is not hairpin this is regular PAT and it should work.


Cisco Employee

So, you are running into assymetric routing issues in your network, where you can ONLY establish successful UDP/Stateless communication from one inside subnet to another  and NOT TCP/Stateful communications.

There are three workarounds in such scenarios :

1. Easiest is to use the new tcp-state-bypass mechnaism in the 8.1(x) code. But you need to upgrade you can also use our firewall to use it as you are at 7.2 now.

Here is  a link to help you :

Scene 1 : when all the users in both subnets behind your firewall HAVE THEIR DEFAULT GATEWAY SET AS INSIDE IP OF FIREWALL.

2. You can  use nat (inside) 1 0 0 and global (inside) 1 interface and then use

static (inside,inside) x.x.x.0 y.y.y.0 netmask

static (inside,inside)  y.y.y.0 x.x.x.0 netmask

Where x.x.x.0 is one of the inside subnets and y.y.y.0 is another inside subnet.

In this wrorkaround, you may be able to open connections only one way, i.e. from x.x.x.0 to y.y.y.0. and not vice versa.

Scene 1 : when all the users in both subnets behind your firewall HAVE THEIR DEFAULT GATEWAY SET AS ROUTER's IP address.

3. Here you can let the inter subnet routing being taken care of by the router and then set a default route on router which points to ASA's inside ifc.

This will make sure that all internet traffic of all inside subnets go THROUGH the firewall, and as long as TWO WAY inter subnet communication is concerned, router will take care of it just fine.



Recognize Your Peers
Content for Community-Ad