hairpinning in asa 5510

Unanswered Question
Jul 5th, 2010

Hi all,

My gateway is asa 5510 version 7.2(4) with ip 192.168.10.254. In my network there is a router 192.168.10.253 which is connected to other networks 192.168.2.0 and 192.168.3.0. There is a static route configured on my asa to direct traffic bound for 192.168.2.0 and 192.168.3.0 to pt to 192.168.10.253. However from my pc i could not access the 2 networks 192.168.2.0 and 192.168.3.0. I thought hairpinning is supported on asa which allows same security traffic in and out the same interface. I added the command "same-security-traffic permit intra-interface" but it doesnt work. Must i also add "global (inside) 1 interface" command?

I also understand that there are admin who does dns rewrite or hairpinning to allow their dns clients to be able to access internal servers using public ip. Which method is better such that there is less overheads in terms of network traffic.

Pls advise. Thks in advance.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Federico Coto F... Mon, 07/05/2010 - 19:48

Hi,

If the ASA requires to NAT the traffic, then besides the ''same-security-traffic permit intra-interface'', you need the NAT rule you mentioned.

If you need further advice please specify.

Federico.

Nagaraja Thanthry Mon, 07/05/2010 - 21:19

Typically, you do need the global statement if firewall is your default gateway and you are accessing other networks behind the router. This will ensure that firewall is seeing all the traffic and will not block any of the TCP traffic.

The DNS re-write option may not apply over here as we are looking at accessing a different network altogether. DNS rewrite is used when you have a server on the inside network (same as your clients) and you are trying to access that server using its public IP.

In this scenario, the best solution would be to make your router the default gateway for 192.168.10.0 network and make firewall the default gateway for the router. This will ensure that the router will route 192.168.2.0/3.0 subnets to corresponding interfaces and rest of the traffic to the firewall. This is the easiest and efficient solution as this will not burden your firewall of unnecessary NAT translations and also will not affect your traffic negatively.

Actions

This Discussion