Public-Public connection w/hairpinning

Unanswered Question
Nov 15th, 2008
User Badges:

I have an ASA on 8.04, and have set up hairpinning to allow internal desktops to access a pair of servers via their public addresses. Config snippet below - essentially as per the CCO DNS doctoring document except for the second server. Desktop-server communication is working, but the servers also need to run FTP between them. This is not working.

My knowledge of the internal processes of the ASA is highly imperfect, but it seems to me there might be problems with getting all the needed translations, connection table entries etc, built correctlyin this context, particularly for TCP, since the ASA validates the handshake. My main question is, is communication between a pair of public addresses supported via hairpinning, and, if so, what config mods are necessary to support it?


same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

global (Outside) 10 interface

global (Inside) 10 interface

nat (Inside) 0 access-list Inside_nat0_outbound

nat (Inside) 10

static (Inside,Inside) x.y.z.196 netmask

static (Inside,Inside) x.y.z.197 netmask

class-map inspection_default

match default-inspection-traffic



policy-map type inspect dns migrated_dns_map_1


message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns migrated_dns_map_1

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp


service-policy global_policy global

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
mflanigan021 Sat, 11/15/2008 - 18:04
User Badges:

I entered this topic in the VPN category by mistake - I have re-posted in the security/firewalling section. Please ignore. Sorry for cinfusion


This Discussion