cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

15684
Views
29
Helpful
27
Replies
bill
Beginner

NAT Hairpinning on ASA 5505 [9.1(2)]

I can't seem to get nat hairpinning to work...  Most instructions on the internet indicate how to do this with commands available prior to 8.3.

I've tried the following:

same-security-traffic permit intra-interface

asa-box(config-network-object)# object network my-inside-address-obj
asa-box(config-network-object)# nat (inside,inside) static my-outside-address-obj

which didn't work.

Then I added:

access-list hairpin_allow extended permit tcp object Internal_NAT_Range object External_NAT_Range

with

access-group hairpin_allow in interface inside

which also didn't work (trying to show due dilligence here...).

Then I tried:

nat (inside,inside) source static Internal_NAT_Range Internal_NAT_Range destination static External_NAT_Range External_NAT_Range

Still a no go.

Finally, I added:

"9. To avoid packet-drops due to the asymmetric nature of routing that's occuring internally, we need the ASA to bypass stateful inspection for this particular traffic. For this, we need to configure the following:

ASA(config)#access-list tcp_bypass extended permit tcp object Internal_NAT_Range object External_NAT_Range

   !--- Configure the access list to specify the TCP traffic

   !--- that needs to by-pass inspection to improve the performance.

   !--- Configure the class map and specify the match parameter for the

   !--- class map to match the interesting traffic.

   ASA(config)#class-map tcp_bypass

   ASA(config-cmap)#description "TCP traffic that bypasses stateful firewall"

   ASA(config-cmap)#match access-list tcp_bypass

   !--- Configure the policy map and specify the class map

   !--- inside this policy map for the class map.

   ASA(config-cmap)#policy-map tcp_bypass_policy

   ASA(config-pmap)#class tcp_bypass

   !--- Use the set connection advanced-options tcp-state-bypass

   !--- command in order to enable TCP state bypass feature.

   ASA(config-pmap-c)#set connection advanced-options tcp-state-bypass

   !--- Use the service-policy policymap_name [ global | interface intf ]

   !--- command in global configuration mode in order to activate a policy map

   !--- globally on all interfaces or on a targeted interface.

   ASA(config-pmap-c)#service-policy tcp_bypass_policy inside"

Again, nothing...

My config (clean/before any of the above) is as follows...

...

object network External_NAT_Range

range x.x.56.3 x.x.59.255

object network Internal_NAT_Range

range 172.17.56.3 172.17.59.255

object network InternalIPs

subnet 172.17.56.0 255.255.248.0

object network VpnIPs

subnet 172.17.63.0 255.255.255.0

object network InternalIPs_OutOnly

range 172.17.60.1 172.17.62.254

...

nat (inside,outside) source static InternalIPs InternalIPs destination static VpnIPs VpnIPs no-proxy-arp route-lookup description Un-Nats VPN IPs

nat (inside,outside) source dynamic InternalIPs_OutOnly interface description Allows remaining interior network to access the Internet

!

object network Internal_NAT_Range

nat (inside,outside) static External_NAT_Range net-to-net

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 x.x.56.1 1

...

---------------------------------

I just want to be able to access an external resource, say, http://x.x.56.5 from an internal IP, say, 172.17.56.8

I tried to use DNS doctoring.  The configuration was much simpler, and worked, but when PTR requests came in from the internet, DNS Doctoring seemed to also translate the outbound responses to reflect my internal IP's which was obviously quite wrong...

Any help from you Cisco pros would be appreciated!

Thanks!

27 REPLIES 27

Hello Carlo,

That's it man.The asa shows its allowed

Do a capture on the inside interface to check the traffic flow.

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

that was inside, let me try outside

crxasa# packet-tracer input inside tcp 208.x.x.12 smtp 12.x.x.35 80

Outside???

But aren't we supposed to be testing traffic from an inside user to a public IP address that actually belongs to an internal server???

That's what we are tshooting here.

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Sorry about that, it is inside, cause it's traffic from inside to outside

So, why U-turning???

My recommendation.. Open a new discussion, explain the issue, and let us know when you opent it.

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Sorry to confuse things, I do have the same issue as the OP, we can't get to an internal server that has a public IP or url. Just trying not have too many of the same threads, thanks.

Hello,

But traffic should not reach the outside bud (if we are talking about the same)

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Hello Carlo,

Why outside,

Explain your scenario cause then this will be a different issue than the owner of this post

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Yeah, I'm rather certain my issue is definitely inside,inside... my traffic should never need to touch the outside interface (I don't think).

I want my traffic originating from inside, a my private/internal IP, to essentially, bounce through the inside interface back (via the external ip) to a private/internal IP...

Perhaps a more thorough example:

1.) Internet IP x.x.56.7 is static net-to-net nat'd to 172.17.56.7 (an internal IP)

2.) My workstation has IP 172.17.56.18.

3.) I want to browse to http://x.x.56.7 and I want it to act AS-IF I were browsing to http://172.17.56.7

4.) I want it to work this way for my whole range of internal IP's 1:1 nat'd to my whole range of external IP's.

currently, browsing to http://x.x.56.7 hangs...

Thanks guys!


Hello,

Do the following

cap capin interface inside match tcp host 172.17.56.18 eq x.x.56.7 eq 80

cap asp type asp-drop all circular-buffer

then try to connect and share

show cap capin

show cap asp | include x.x.56.7

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Hi guys, it works for me now, thanks for all the tips.

Hello,

Sure man,  just Remember to rate all of the helpful posts 



Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Hi Julio, yes I have it in there

same-security-traffic permit intra-interface

Create
Recognize Your Peers
Content for Community-Ad