09-25-2012 06:43 PM - edited 03-11-2019 04:59 PM
Under 8.3, I have static NAT:
nat (INSIDE,OUTSIDE) source static PRIVATE1 PUBLICIP_17.22.16.2
nat (INSIDE,OUTSIDE) source static PRIVATE2 PUBLICIP_17.22.16.3
...with hairpinning enabled:
same-security-traffic permit intra-interface
nat (INSIDE,INSIDE) source static PRIVATE1 PUBLICIP_17.22.16.2
nat (INSIDE,INSIDE) source static PRIVATE2 PUBLICIP_17.22.16.3
Host #1 with private IP "PRIVATE1" can connect to host #2, via both private (10.x.x.x) and public IPs (17.22.16.3); and vice-versa.
But Host #1 cannot connect with its own public IP, nor can Host #2 connect with itself by public IP.
packet-trace shows:
Phase: 9
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (INSIDE,INSIDE) source static PRIVATE1 IP_17.22.16.2
Additional Information:
Result:
input-interface: INSIDE
input-status: up
input-line-status: up
output-interface: INSIDE
output-status: up
output-line-status: up
Action: drop
Drop-reason: (sp-security-failed) Slowpath security checks failed
Google says this means that the ASA refused to route from an IP to itself. So where is the "same-host-traffic permit" command?
My Ascend Pipeline50 handled this NAT task, so I'm sure there's a way!
Solved! Go to Solution.
09-27-2012 03:43 PM
Hi Bradley,
Lets try to NAT the source of the traffic to the inside interface of the ASA and also translate the destination address from public to private.
nat (inside,inside) source dynamic any interface destination static PUBLICIP_17.22.16.2 PRIVATE1
Let me know how it goes.
Luis
09-27-2012 03:43 PM
Hi Bradley,
Lets try to NAT the source of the traffic to the inside interface of the ASA and also translate the destination address from public to private.
nat (inside,inside) source dynamic any interface destination static PUBLICIP_17.22.16.2 PRIVATE1
Let me know how it goes.
Luis
09-28-2012 08:12 AM
Thanks, Luis. Your suggestion to src-nat to the firewall IP worked well. It made the traffic flow symmetric (usually good), as now the reply packets will flow through the firewall as well. The only down-side is that that now when one client on the private LAN connects to a server on the LAN by that server's public IP, the server will see all those connections as coming "from the firewall." If local security policy requires logging the client IP, then it might be preferable to src-nat 1:1 NAT (rather than PAT to the firewall's private IP).
09-30-2012 09:43 AM
Bradley,
I am glad it worked for you! I see your point.. Intead of using "any" you can create an object with just the range you want to translate.
Luis
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide