Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
758
Views
0
Helpful
6
Replies

hairpinning in asa5510

donnie
Level 1
Level 1

‎09-19-2010 02:44 PM - edited ‎03-11-2019 11:42 AM

Hi all,

I have a cisco asa 5510 whose inside interface has a ip of 192.168.5.1. I have a pc with the ip of 192.168.5.2 and uses gateway 192.168.5.1. I need the asa firewall to be able route traffic from the pc for certain networks(eg 192.168.6.0/24 and 192.168.7.0/24) to a router 192.168.5.3. I have configured the appropriate static route on the asa and have enabled hairpinning using "same-security-traffic permit intra-interface" (so that traffic can enter and exceed the same interface) but the routing fail to work. What other config is required? Pls advise, thks in advance.

Labels:
0 Helpful
6 Replies 6

Nagaraja Thanthry
Cisco Employee
Cisco Employee

‎09-19-2010 03:01 PM

Hello,

If you are running pre-8.2 image on the ASA, please try the following:

global (inside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 <-- This line may already be there

If you are running 8.2 or higher code version, then

access-list bypass permit ip 192.168.5.0 255.255.255.0 192.168.6.0 255.255.255.0

access-list bypass permit ip 192.168.5.0 255.255.255.0 192.168.7.0 255.255.255.0

class-map TCP_bypass

match access-list bypass

exit

policy-map inside_policy

class TCP_bypass

set connection advanced-options tcp-state-bypass

exit

service-policy inside_policy in interface inside


This will ensure that the firewall supports asymmetric routing. In the first option, only 192.168.5.x is allowed to initiate the connection while the second one will work for bidirectional connections.

Hope this helps.

Regards,

NT

0 Helpful

donnie
Level 1
Level 1
In response to Nagaraja Thanthry

‎09-20-2010 01:03 PM

Hi NT,

i am using pre asa 8.2 version and I need it to work bi directional. Pls advise. THks in advance.

0 Helpful

Nagaraja Thanthry
Cisco Employee
Cisco Employee
In response to donnie

‎09-20-2010 01:15 PM

Hello,

In that case, you need to make the inside router as the default gateway for the 192.168.5.x subnet. You can set ASA as the default gateway for the inside router.

Regards,

NT

0 Helpful

Allen P Chen
Level 5
Level 5
In response to donnie

‎09-20-2010 04:38 PM

What software version is the ASA 5510 running?  If it is running 7.0 or 7.1, the command "same-security-traffic permit intra-interface" applies to IPSec traffic only.  This command applies to all traffic in software version 7.2 and later.

0 Helpful

donnie
Level 1
Level 1
In response to Nagaraja Thanthry

‎09-20-2010 01:27 PM

Hi NT,

I have applied the following.

"global (inside) 1 interface" while "nat (inside) 1 0.0.0.0 0.0.0.0" is already in my config.

But my pc still can't initiate session to 192.168.6.0/24 and 192.168.7.0/24 subnet. Pls advise.

0 Helpful

Nagaraja Thanthry
Cisco Employee
Cisco Employee
In response to donnie

‎09-20-2010 01:30 PM

Hello,

Can you please post the running configuration here?

Regards,

NT

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card