cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

1035
Views
0
Helpful
3
Replies

NAT hairpinning, from host to same host (8.3)

Under 8.3, I have static NAT:

nat (INSIDE,OUTSIDE) source static PRIVATE1 PUBLICIP_17.22.16.2

nat (INSIDE,OUTSIDE) source static PRIVATE2 PUBLICIP_17.22.16.3

...with hairpinning enabled:

same-security-traffic permit intra-interface

nat (INSIDE,INSIDE) source static PRIVATE1 PUBLICIP_17.22.16.2

nat (INSIDE,INSIDE) source static PRIVATE2 PUBLICIP_17.22.16.3

Host #1 with private IP "PRIVATE1" can connect to host #2, via both private (10.x.x.x) and public IPs (17.22.16.3); and vice-versa. 

But Host #1 cannot connect with its own public IP, nor can Host #2 connect with itself by public IP.

packet-trace shows:

Phase: 9

Type: NAT

Subtype: rpf-check

Result: ALLOW

Config:

nat (INSIDE,INSIDE) source static PRIVATE1 IP_17.22.16.2

Additional Information:

Result:

input-interface: INSIDE

input-status: up

input-line-status: up

output-interface: INSIDE

output-status: up

output-line-status: up

Action: drop

Drop-reason: (sp-security-failed) Slowpath security checks failed

Google says this means that the ASA refused to route from an IP to itself. So where is the "same-host-traffic permit" command?

My Ascend Pipeline50 handled this NAT task, so I'm sure there's a way!

1 ACCEPTED SOLUTION

Accepted Solutions
Luis Silva Benavides
Cisco Employee

Hi Bradley,

Lets try to NAT the source of the traffic to the inside interface of the ASA and also translate the destination address from public to private.

nat (inside,inside) source dynamic any interface destination static PUBLICIP_17.22.16.2 PRIVATE1

Let me know how it goes.

Luis

Luis Silva

View solution in original post

3 REPLIES 3
Luis Silva Benavides
Cisco Employee

Hi Bradley,

Lets try to NAT the source of the traffic to the inside interface of the ASA and also translate the destination address from public to private.

nat (inside,inside) source dynamic any interface destination static PUBLICIP_17.22.16.2 PRIVATE1

Let me know how it goes.

Luis

Luis Silva

View solution in original post

Thanks, Luis.  Your suggestion to src-nat to the firewall IP worked well.  It made the traffic flow symmetric (usually good), as now the reply packets will flow through the firewall as well.  The only down-side is that that now when one client on the private LAN connects to a server on the LAN by that server's public IP, the server will see all those connections as coming "from the firewall."  If local security policy requires logging the client IP, then it might be preferable to src-nat 1:1 NAT (rather than PAT to the firewall's private IP).

Bradley,

I am glad it worked for you! I see your point.. Intead of using "any" you can create an object with just the range you want to translate.

Luis

Luis Silva
Content for Community-Ad