hairpinning in asa5510

Unanswered Question
Sep 19th, 2010
User Badges:

Hi all,


I have a cisco asa 5510 whose inside interface has a ip of 192.168.5.1. I have a pc with the ip of 192.168.5.2 and uses gateway 192.168.5.1. I need the asa firewall to be able route traffic from the pc for certain networks(eg 192.168.6.0/24 and 192.168.7.0/24) to a router 192.168.5.3. I have configured the appropriate static route on the asa and have enabled hairpinning using "same-security-traffic permit intra-interface" (so that traffic can enter and exceed the same interface) but the routing fail to work. What other config is required? Pls advise, thks in advance.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Nagaraja Thanthry Sun, 09/19/2010 - 15:01
User Badges:
  • Cisco Employee,

Hello,


If you are running pre-8.2 image on the ASA, please try the following:


global (inside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 <-- This line may already be there


If you are running 8.2 or higher code version, then


access-list bypass permit ip 192.168.5.0 255.255.255.0 192.168.6.0 255.255.255.0

access-list bypass permit ip 192.168.5.0 255.255.255.0 192.168.7.0 255.255.255.0


class-map TCP_bypass

match access-list bypass

exit


policy-map inside_policy

class TCP_bypass

set connection advanced-options tcp-state-bypass

exit


service-policy inside_policy in interface inside


This will ensure that the firewall supports asymmetric routing. In the first option, only 192.168.5.x is allowed to initiate the connection while the second one will work for bidirectional connections.


Hope this helps.


Regards,


NT

donnie Mon, 09/20/2010 - 13:03
User Badges:

Hi NT,


i am using pre asa 8.2 version and I need it to work bi directional. Pls advise. THks in advance.

Nagaraja Thanthry Mon, 09/20/2010 - 13:15
User Badges:
  • Cisco Employee,

Hello,


In that case, you need to make the inside router as the default gateway for the 192.168.5.x subnet. You can set ASA as the default gateway for the inside router.


Regards,


NT

Allen P Chen Mon, 09/20/2010 - 16:38
User Badges:
  • Cisco Employee,

What software version is the ASA 5510 running?  If it is running 7.0 or 7.1, the command "same-security-traffic permit intra-interface" applies to IPSec traffic only.  This command applies to all traffic in software version 7.2 and later.

donnie Mon, 09/20/2010 - 13:27
User Badges:

Hi NT,


I have applied the following.

"global (inside) 1 interface" while "nat (inside) 1 0.0.0.0 0.0.0.0" is already in my config.

But my pc still can't initiate session to 192.168.6.0/24 and 192.168.7.0/24 subnet. Pls advise.

Nagaraja Thanthry Mon, 09/20/2010 - 13:30
User Badges:
  • Cisco Employee,

Hello,


Can you please post the running configuration here?


Regards,


NT

Actions

This Discussion