Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5069
Views
20
Helpful
6
Replies

ASA Hairpin

Go to solution
katheer4u
Level 1
Level 1

‎04-21-2020 02:27 AM - edited ‎04-21-2020 02:34 AM

Hi
Please can you advise me how can i nat the inside  hairpin traffic on ASA , and the web server allow only https  traffic

Please  see the attached image of the network diagram

 

Hairpin.jpg

 

Labels:
Preview file
39 KB
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎04-21-2020 02:41 AM

Hi,
If you are hairpinning the traffic (traffic entering and exiting the same interface) you will need the command "same-security-traffic permit intra-interface". The NAT rules will need to be accurate with the correct src/dst interfaces.

HTH

View solution in original post

Go to solution
Georg Pauwen
VIP
VIP

‎04-21-2020 05:43 AM

Hello,

 

below is what you would need for hairpinning HTTPS:

 

same-security-traffic permit intra-interface
!
interface GigabitEthernet0/1
nameif inside
security level 100
ip address 192.168.100.1 255.255.255.0
!
interface GigabitEthernet0/0
nameif outside
security level 0
ip address 80.200.122.100 255.255.255.0
!
object network WEBSERVER_PUBLIC
host 80.200.122.100
!
object network WEBSERVER_LOCAL
host 192.168.100.100
!
object service HTTPS
service tcp destination eq https
!
object-group network LOCAL_HOSTS
network-object 192.168.100.0 255.255.255.0
!
nat (inside,inside) source dynamic LOCAL_HOSTS interface destination static WEBSERVER_PUBLIC WEBSERVER_LOCAL service HTTPS HTTPS

 

View solution in original post

6 Replies 6

Go to solution
Rob Ingram
VIP
VIP

‎04-21-2020 02:41 AM

Hi,
If you are hairpinning the traffic (traffic entering and exiting the same interface) you will need the command "same-security-traffic permit intra-interface". The NAT rules will need to be accurate with the correct src/dst interfaces.

HTH

Go to solution
katheer4u
Level 1
Level 1
In response to Rob Ingram

‎04-21-2020 03:02 AM

Dear RJI

 

Thanks its working now  i can browse  only the home page of website 

 

https://www.XXXXXXXXXXX.com working fine

 

and when i click log in page not working 

https://www.XXXXXXXXXXX.com/portal/login

 

please can you advise me 

 

thank you 

 

 

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to katheer4u

‎04-21-2020 03:14 AM

When you make this connection are you connecting from the PC on 192.168.200.x connecting to 192.168.100.100? Not sure why you'd need to be hairpinning there.

Please can you provide your configuration for review.

Go to solution
katheer4u
Level 1
Level 1
In response to Rob Ingram

‎04-21-2020 03:30 AM

192.168.100.100 it's a web server and its rewrite to Https only and we dont have domain server to dns resolve

 

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to katheer4u

‎04-21-2020 04:44 AM

I'm not sure I understand your last point there.
What ACLs have you got configured?
Take a packet capture on the ASA and provide the pcap for review.

Go to solution
Georg Pauwen
VIP
VIP

‎04-21-2020 05:43 AM

Hello,

 

below is what you would need for hairpinning HTTPS:

 

same-security-traffic permit intra-interface
!
interface GigabitEthernet0/1
nameif inside
security level 100
ip address 192.168.100.1 255.255.255.0
!
interface GigabitEthernet0/0
nameif outside
security level 0
ip address 80.200.122.100 255.255.255.0
!
object network WEBSERVER_PUBLIC
host 80.200.122.100
!
object network WEBSERVER_LOCAL
host 192.168.100.100
!
object service HTTPS
service tcp destination eq https
!
object-group network LOCAL_HOSTS
network-object 192.168.100.0 255.255.255.0
!
nat (inside,inside) source dynamic LOCAL_HOSTS interface destination static WEBSERVER_PUBLIC WEBSERVER_LOCAL service HTTPS HTTPS

 

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card