Showing results for 
Search instead for 
Did you mean: 
Join Customer Connection to register!

Hairpinning and internal routing with an ASA 5505

So, I've got a  routing/nat issue that I need some help with. I've attached an image to  give you a visual view of the network(dumbed down quite a bit). Hopefully this is the right forum section to post this in.

On  our office network we have two Ciscos. One is our ASA 5505 which we  manage and connects to the internet. The other is a Nuvox(Windstream)  Cisco that connects to an MPLS that goes to a remote office. The MPLS is  only for phone traffic on that remote segment to get to the phone  server in the main office.
Currently, our phone system has a gateway  of, which is the MPLS router. Unfortunately, that router has  no access to the internet; just to the MPLS. I'd like to make it so  that I can set the gateway of the phone system to, so  that it can get to the internet, and then have the ASA know to route  traffic for the remote subnet( to the MPLS router at

I'm new to the idea of hairpinning, but I got the ASA  configured to actually work and forward traffic to when the  destination is Unfortunately, one of the NAT commands  breaks the local network because the ASA sends out ARP packets to  everything, pairing its MAC address with every IP in the  range. If you look in the arp cache of any computer on the  network, every entry has the MAC address of the ASA.

Here are  the commands that I added to the ASA. Like I said, these commands  worked, technically, but caused the ARP mayhem. Once I realized which  command it was, it made sense and I should have known, but I don't know  what to do to fix it. The first nat static command is what does it in.

access-list acl_inside extended permit ip
access-list acl_inside extended permit ip
no nat-control
global (inside) 1 interface
static (inside,inside) netmask
static (inside,inside) netmask
route inside 1
no inspect sip



What kind of switch you have between the Phone Server and the ASA?

The switch should know the MAC address of every device in the associated with the correct IP.

The ASA will answer to ARP requests when trying to get to as well, because it is configured to hairpin the traffic, but should be only when coming from another subnet ( for example).

Can you post the ARP entry on the ASA for the computers? show arp



Can you add a default route on your router pointing to the PIX?

Hey guys, thanks for the replies. Sorry for my late response, I've been away for the weekend.

As far as the router goes, I can't change anything there. That's managed by Windstream and they won't add any routes for me. I already tried

Let me see if I can get the arp table of the ASA with and without the hairpinning in place. I'll post back with that.

Someone mentioned disabling ProxyArp on the ASA to combat the ARP problem. Do you think that would work? Will that screw up anything else? I just don't want to break our site-to-site VPN or anything else.


Alright, here's the arp table before and after adding the nat commands. BTW - the switch in between them is a 3com managed switch. Can't remember what model though off the top of my head.


router# show arp
        inside 0015.c583.6b69 10
        inside 000c.2953.bbae 21
        inside 0024.e80c.9677 21
        inside 0011.1135.a372 29
        inside 0030.4df4.e06c 29
        inside 000c.29b4.9cba 36
        inside 0030.4df4.e05d 38
        inside 000c.2997.7ef9 52
        inside 0015.afdd.9949 53
        inside d830.629f.3545 87
        inside 0025.64cf.3554 130
        inside 0007.e978.07a8 206
        inside 00c0.9f37.8209 342
        inside 98fc.1198.6442 414
        inside 00c0.b750.41d3 429
        inside 0022.1928.e53c 510
        inside 0011.24bf.7e14 675
        inside 0025.004e.4e61 965
        inside 0024.36a4.3cff 965
        inside 0030.4df4.e7b2 1269
        inside 7c6d.62de.62b9 1369
        inside 0026.08e1.1457 1425
        inside 0026.b0c0.1e1e 2279
        inside c8bc.c8bf.a6e8 3730
        inside 0021.7057.9b7e 6720


router(config)# show arp
        inside 0015.afdd.9949 0
        inside 0025.64cf.3554 3
        inside 0025.004e.4e61 4
        inside 0030.4df4.e06c 14
        inside 000c.29b4.9cba 21
        inside 000c.2953.bbae 22
        inside 0030.4df4.e05d 22
        inside 0024.e80c.9677 25
        inside 0026.08e1.1457 41
        inside 0015.c583.6b69 44
        inside 000c.2997.7ef9 44
        inside 0011.24bf.7e14 44
        outside d0d0.fd47.9ed4 44

The fix was turning off proxyarp on the inside interface. Now the ASA doesn't screw with the arp tables.


Your config is far from a best practice to accomplice what you want and can lead to a lot of strange problems if you configure more things on the ASA especially related to NAT.

You could better turn proxyarp back on and use this setup:

Make sure traffic from to is not being translated by using nonat:

access-list nonat permit ip

nat (inside) 0 access-list nonat

Make sure you have same-security-traffic permit intra-interface configured to allow packets coming in on the inside interface to go out to the same interface.

If you configure it this way you can remove following commands:

global (inside) 1 interface
static (inside,inside) netmask
static (inside,inside) netmask

access-list acl_inside extended permit ip

Well, I know the current setup is kind of jury rigged, but I'm happy that it's at least functional (for now).

I thought I had tried something similar to what you suggested, but I'll try it again. Unfortunately, all this has to be done after hours, so when I get a chance to do it I'll let you know.

Thanks for the help.

If you can upload the full config I can post you the exact commands to make this setup work because without the total config it is hard to tell if there are other commands preventing this setup from working.


I am not sure what code version you are running. If you are running 8.2 and beyond, you have an easier fix. In 8.2 and beyond, there is a feature called as TCP State Bypass that will ensure that all your TCP traffic goes through without any issues in assymmetric routing scenario. So, if you are able to upgrade the code to 8.2 and beyond, here is the configuration you can try:

access-list TCP_bypass permit

class-map TCP_bypass

match access-list TCP_bypass


policy-map inside_policy

class TCP_bypass

set connection advanced-options tcp-state-bypass


service-policy inside_policy interface inside

If you are not able to upgrade the code to 8.2, then you need to configure interface NAT:

same-security-traffic permit intra-interface

access-list nonat permit ip

nat (inside) 0 access-list nonat

global (inside) 1 interface

nat (inside) 1

Please make sure that you have removed all other previously configured static NAT statements and NAT 0 statements before trying the above configuation.

Hope this helps.