Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
621
Views
5
Helpful
8
Replies

Problem with Hairpinning on ASA 5506-X running ASA 9.16(3)

Go to solution
johanc
Level 1
Level 1

‎08-12-2022 01:30 AM

Hi!

I have found a helpful guide here in the community to be able to configure haipinning NAT on my ASA, but can't get it to work. 

My setup
- one external IP-address assigned to outside: a.b.c.d
- one internal subnet with clients running on 10.0.17.0/24
- one DMZ with one server running on 192.168.17.0/24 (the server is on 192.168.17.3)

My goal
- to be able to connect to the server in the dmz from my clients on the inside using the external IP-address
(I can reach the server from "internet" using the external IP-address so those rules work)

What I have tried
1.
nat (inside,dmz) source static inside-network interface destination static obj-a.b.c.d obj-192.168.17.3 description Hairpin
(where obj-a.b.c.d) is a network object "host a.b.c.d" and so on.)
When trying to run this from CLI i get the following error
Result of the command: "nat (inside,dmz) source static inside-network interface destination static obj-a.b.c.d obj-192.168.17.3 description Hairpin
nat (inside,dmz) source static inside-network interface destination static obj-a ^.b.c.d obj-192.168.17.3 description Hairpin
ERROR: % Invalid input detected at '^' marker.
2.
nat (inside,dmz) source dynamic inside-network interface destination static obj-a.b.c.d obj-192.168.17.3
That gives me the same error... 

What am I doing wrong?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
MHM Cisco World
VIP
VIP
In response to johanc

‎08-12-2022 03:46 AM

and I find issue, 
there is no interface Inside the interface is 
Inside_1 ,_2 ....etc. 
give the real Interface nameif 

View solution in original post

8 Replies 8

Go to solution
Rob Ingram
VIP
VIP

‎08-12-2022 01:54 AM

@johanc you can configure NAT reflection. Here is an FTD guide, though at the bottom it does have an ASA example - so apply the same logic to your ASA configuration.

https://integratingit.wordpress.com/2021/07/11/ftd-nat-reflection/

 

0 Helpful

Go to solution
johanc
Level 1
Level 1
In response to Rob Ingram

‎08-12-2022 03:06 AM

Hi Rob,

But that is exactly the CLI command I have been trying. Just for clarity I added the network object as in the example and ran the command again.

Result of the command: "nat (inside,inside) source static Internal-LAN interface destination static SERVER01-NAT SERVER01"
nat (inside,inside) source static Internal-LAN interface destination static SERV ^ER01-NAT SERVER01
ERROR: % Invalid input detected at '^' marker.

I am sure that the command in the example is correct, but I have some other error somewhere, but where?
I have some other NAT-rules, can those interfere, or what am I doing wrong?
I have included an image of the current NAT-rules i have (just have blacked out some services, but they are setup the same as all others).

nat.png

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to johanc

‎08-12-2022 03:18 AM - edited ‎08-12-2022 03:26 AM

nat ( real_ifc , mapped_ifc ) source dynamic { real_obj | any }{ mapped_obj | interface  destination static { mapped_obj | interface [ ipv6 ]}{ real_obj | any }][ service { mapped_dest_svc_obj real_dest_svc_obj ]

the position of real and mapped Obj must be as show above 

0 Helpful

Go to solution
johanc
Level 1
Level 1
In response to MHM Cisco World

‎08-12-2022 03:37 AM

Hi!
SERVER01-NAT is a defined network object of type "Host" set to my outside IP-address (which is obtained via DHCP since it is the only method my ISP allows). SERVER01 is a defined network object of type "Host" set to the IP address my server has in the dmz (192.168.17.3). Internal-LAN is a defined network obect of type "Network" set to "10.0.0.0/255.255.255.0" which is the network my clients use.

I have tried both these commands with the same result. 

Result of the command: "nat (inside,dmz) source static Internal-LAN interface destination static SERVER01-NAT SERVER01"
nat (inside,dmz) source static Internal-LAN interface destination static SERVER0 ^1-NAT SERVER01
ERROR: % Invalid input detected at '^' marker.

Result of the command: "nat (inside,dmz) source static Internal-LAN interface destination static SERVER01 SERVER01-NAT"
nat (inside,dmz) source static Internal-LAN interface destination static SERVER0 ^1 SERVER01-NAT
ERROR: % Invalid input detected at '^' marker.

Regards
Johan

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to johanc

‎08-12-2022 03:46 AM

and I find issue, 
there is no interface Inside the interface is 
Inside_1 ,_2 ....etc. 
give the real Interface nameif 

Go to solution
johanc
Level 1
Level 1
In response to MHM Cisco World

‎08-12-2022 04:55 AM

Thank you very much!

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to johanc

‎08-12-2022 03:23 AM - edited ‎08-12-2022 03:24 AM

@johanc The object "Internal-LAN" wouldn't exist on your ASA, hence the error. The object "Internal-LAN" was an object used in the example, you'd need to replace this with an object that represents your internal network.

0 Helpful

Go to solution
johanc
Level 1
Level 1
In response to Rob Ingram

‎08-12-2022 03:29 AM

Hi, no I created the object "Internal-LAN" (and also SERVER01_NAT and SERVER01) before i ran the command, so "Internal-LAN" exists (unfortunately).

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card