Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Guest Network Hairpin

I just replaced a Netscreen firewall with an ASA 5515-X.  Everything works, almost!  The Netscreen allowed clients on the guest network to access NATed hosts on the DMZ and inside interfaces, with their Internet addresses. There was nothing special about, it just worked. I think on the ASA I need to setup a hairpin or U-turn to make this work.  I have looked around and not sure I understand it, so I'm asking here.

Here's my config.  No vlans on the ASA just individual interfaces.

outside   #.#.#.#/28              From ISP

inside    10.0.0.0/8               internal DNS

guest    192.168.1.0/24        external DNS 

dmz      192.168.2.0/24        exteranl DNS

What I would like is for any client on the guest network to act as if it was any client on the Internet.  Is this doable? If so what's the best way to do it?

Thanks...Jim

  • Firewalling
Everyone's tags (2)
2 REPLIES
VIP Green

Guest Network Hairpin

To enable hairpinning it is just one command:

same-security-traffic permit intra-interface

Most often this is used when you have configured subinterfaces on the ASA and traffic is entering and then leaving the same interface.

Keep in mind that the above command just enables hairpinning, you may need more configuration to get traffic to flow.

--
Please remember to rate and select a correct answer

-- Please remember to rate and select a correct answer

Guest Network Hairpin

Hello James,

So you have 4 different interfaces, no U-turn here then

You want the Guest users to access the Inside and DMZ servers by their public IP address.

All you need is

object network Real-Inside_Server

host 10.0.0.9

Object network Public_Inside_Server

host 4.2.2.2

nat (inside,guest) 1 source static Real-Inside_Server Public_Inside_Server

And of course configure an ACL on the guest interface to allow access to the 10.0.0.9 host.

Looking for some Networking Assistance? 
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
502
Views
0
Helpful
2
Replies
This widget could not be displayed.