hairpinning in asa5510

Unanswered Question
Sep 19th, 2010

Hi all,

I have a cisco asa 5510 whose inside interface has a ip of I have a pc with the ip of and uses gateway I need the asa firewall to be able route traffic from the pc for certain networks(eg and to a router I have configured the appropriate static route on the asa and have enabled hairpinning using "same-security-traffic permit intra-interface" (so that traffic can enter and exceed the same interface) but the routing fail to work. What other config is required? Pls advise, thks in advance.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Nagaraja Thanthry Sun, 09/19/2010 - 15:01


If you are running pre-8.2 image on the ASA, please try the following:

global (inside) 1 interface

nat (inside) 1 <-- This line may already be there

If you are running 8.2 or higher code version, then

access-list bypass permit ip

access-list bypass permit ip

class-map TCP_bypass

match access-list bypass


policy-map inside_policy

class TCP_bypass

set connection advanced-options tcp-state-bypass


service-policy inside_policy in interface inside

This will ensure that the firewall supports asymmetric routing. In the first option, only 192.168.5.x is allowed to initiate the connection while the second one will work for bidirectional connections.

Hope this helps.



donnie Mon, 09/20/2010 - 13:03

Hi NT,

i am using pre asa 8.2 version and I need it to work bi directional. Pls advise. THks in advance.

Nagaraja Thanthry Mon, 09/20/2010 - 13:15


In that case, you need to make the inside router as the default gateway for the 192.168.5.x subnet. You can set ASA as the default gateway for the inside router.



Allen P Chen Mon, 09/20/2010 - 16:38

What software version is the ASA 5510 running?  If it is running 7.0 or 7.1, the command "same-security-traffic permit intra-interface" applies to IPSec traffic only.  This command applies to all traffic in software version 7.2 and later.

donnie Mon, 09/20/2010 - 13:27

Hi NT,

I have applied the following.

"global (inside) 1 interface" while "nat (inside) 1" is already in my config.

But my pc still can't initiate session to and subnet. Pls advise.


This Discussion