Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA Port Forwarding with VPN Hairpinning

Hello,

I have been working on an issue for a while and I have managed to track down the issue, but I am not sure how to fix the issue.

I have a ASA 5505 running 8.4(7) with a tunneled anyconnect vpn for inbound remote users. I also would like to setup inbound port forwarding for a webserver.

The issue seems to be the hairpinning rule that is causing the inbound port forwarding to be stopped:

nat (outside,outside) source dynamic NETWORK_OBJ_172.16.1.0_28 interface description hairpin for vpn users natting on the outside interface

When I disable this the port forwarding will work perfectly (according to packet tracer that is).

I have attached the config to this post. I would appreciate any insight how to get the VPN hairpinning and the inbound port forwarding to work.

The config has been condensed to remove unneed config.

Thanks

1 ACCEPTED SOLUTION

Accepted Solutions
Super Bronze

ASA Port Forwarding with VPN Hairpinning

Hi,

What is the configuration commands you are using to set up the Static PAT (Port Forward) ?

The problem most likely is the ordering of the NAT configurations as the above listed NAT configuration at the top of the NAT configurations.

The Static PAT configuration you could use to make it work would be

object network SERVER

host

object service WWW

service tcp source eq www

nat (server,outside) 1 source static SERVER interface service WWW WWW

The above presumes the source interface for the host is "server" and that the service you want to do Static PAT for is TCP/80.

Notice that we add the number "1" in the "nat" command. This will add it at the top. The same thing would have to be done for any other Static PAT you configure that you want to for these VPN Clients.

Hope this helps

- Jouni

2 REPLIES
Super Bronze

ASA Port Forwarding with VPN Hairpinning

Hi,

What is the configuration commands you are using to set up the Static PAT (Port Forward) ?

The problem most likely is the ordering of the NAT configurations as the above listed NAT configuration at the top of the NAT configurations.

The Static PAT configuration you could use to make it work would be

object network SERVER

host

object service WWW

service tcp source eq www

nat (server,outside) 1 source static SERVER interface service WWW WWW

The above presumes the source interface for the host is "server" and that the service you want to do Static PAT for is TCP/80.

Notice that we add the number "1" in the "nat" command. This will add it at the top. The same thing would have to be done for any other Static PAT you configure that you want to for these VPN Clients.

Hope this helps

- Jouni

New Member

ASA Port Forwarding with VPN Hairpinning

Hi JouniForss,

thanks for the quick reply. Looking good, I never thought to put it at the top I was configuring it as a network object nat rule. Looks like VPN users can still see internal servers too!

Thanks


288
Views
0
Helpful
2
Replies
CreatePlease login to create content