Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
501
Views
0
Helpful
4
Replies

Hairpinning Fails

rafaelcervantes
Level 1
Level 1

‎10-30-2009 11:21 AM - edited ‎03-09-2019 10:41 PM

Hi

I have two local subnets 192.168.1.0 and 192.168.2.0 behind another router. I hairpinning on the ASA (IP 192.168.1.252) to route traffic to the subnet 192.168.2.0.

I applied the next commands (I received help from pkampana to do this):

same-security-traffic permit intra-interface

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0

route inside 192.168.2.0 255.255.255.0 192.168.1.254 1

If I ICMP echo using ASDM Packet Tracer works in both directions.

If I ping using a computer from subnet 192.168.1.0 to subnet 192.168.2.0 works.

If I ping using a computer from subnet 192.168.2.0 to subnet 192.168.1.0 fails.

If I remote desktop from any subnet fails and ASDM is logging the error that say:

severity: 6

Syslog ID: 106015

Source IP: 192.168.1.153

Destination IP: 192.168.2.4

Description: Deny TCP (no connection) from 192.168.1.153/1168 to 192.168.2.4/3389 flags RST on interface inside.

Thank you in advance.

RC

Labels:
0 Helpful
4 Replies 4

acomiskey
Level 10
Level 10

‎10-30-2009 11:43 AM

You could try this on the inside interface instead of your nat0 acl.

global (inside) 10 interface

nat (inside) 10 0 0

0 Helpful

rafaelcervantes
Level 1
Level 1
In response to acomiskey

‎11-03-2009 08:31 AM

when i first try to run this command I received the error

Result of the command: "nat (inside) 10 0 0"

Duplicate NAT entry

That is because I already have the command nat (inside) 1 0.0.0.0 0.0.0.0.

I changed this one: nat (inside) 1 0.0.0.0 0.0.0.0

for this one: nat (inside) 1 192.168.1.0 255.255.255.0. and applied the one that you give to me: nat (inside) 10 0 0 and global (inside) 10 interface but still does not work.

Thank you.

RC

0 Helpful

acomiskey
Level 10
Level 10
In response to rafaelcervantes

‎11-03-2009 08:56 AM

Go back to your original way but remove one of these lines.

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0

Nat exemption is bidirectional so 1 line should be all you need.

0 Helpful

rafaelcervantes
Level 1
Level 1
In response to acomiskey

‎11-04-2009 10:07 AM

I already removed the line:

access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0

Still does not work.

The syslog explanation of the error is :

The security appliance discarded a TCP packet that has no associated connection in the security appliance connection table. The security appliance looks for a SYN flag in the packet, which indicates a request to establish a new connection. If the SYN flag is not set, and there is not an existing connection, the security appliance discards the packet.

Any help is greatly appreciated.

Thank you in advance.

RC.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents