Showing results for 
Search instead for 
Did you mean: 

U-Turning/Hairpinning on ASA







Requirement: network needs to talk to network, default gateway on machines is the interface of ASA(


By default ASA won't allow the traffic to leave same interface on which it enters. Thus when machines try to go to subnet, here is how the communication happens:


- (any machine on network with gateway set to opens a TCP connection to (machine on subnet) the initial SYN packet of TCP 3-way handshake goes through ASA, which has a route to network pointing to

- By default ASA won't allow this u-turn. We can add following command to override this behavior:


same-security-traffic permit intra-interface


- Because of above command ASA will forward the SYN packet to which further forwards it to actual destination

- responds with SYN,ACK destined to, this packet arrives on router and since is directly connected to it instead of sending this to ASA it does arp broadcast for and directly sends packet to machine (assuming proxyarp on inside is disabled).

- sends ACK (3rd packet of TCP 3 way handshake) again through ASA, but since ASA hasn't seen SYN,ACK for this connection it will drop it and thus communication is unsuccessful.



Here are the commands that we can add on ASA to accomplish this:


Pre 8.2:


Configuring NAT for both subnets:


nat (inside) 1

global (inside) 1 interface

static (inside,inside) netmask norandom nailed


Adding the nailed option to the static command causes TCP state tracking and sequence checking to be skipped for the connection. More info can be found here:


same-security-traffic permit intra-interface

sysopt noproxyarp inside

failover timeout -1


Info on sysopt noproxyarp and failover timeout command:


8.2 onwards:


Configuring NAT for both subnets (without nailed option):


nat (inside) 1

global (inside) 1 interface

static (inside,inside) netmask


same-security-traffic permit intra-interface


sysopt noproxyarp inside


Configuring TCP-STATE-BYPASS on ASA: norandomseq nailed command is deprecated and now we use this feature to accomplish the same thing. Also with config mentioned below we do not need "failover timeout" command anymore.


NOTE: Match only required traffic as this feature will  force ASA to only check for interface acl, all other security checks are disabled for traffic matching this flow.


access-list TCP-STATE-BYPASS permit ip



match access-list TCP-STATE-BYPASS


policy-map inside_policy


set connection advanced-options  tcp-state-bypass


service-policy inside_policy interface inside



With the config above ASA allows asymmetric routing for above flow.




- Sourav Kakkar

Recognize Your Peers
Content for Community-Ad