Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

hairpin route on an ASA?

I have a customer with an ASA 5505 which works quite well with the one WAN outside interface connected to my ISP and the Internet and the inside interfaces connected to my LAN 192.168.19.x

The client has installed a second high-speed (& expensive) WAN link for certain traffic and wants all data going to a certain subnet to be routed out that link. That WAN link has its own NAT router and the "inside" address of that router is 192.168.19.238

I thought I could do this by just enabling hairpinning:

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

and then adding a "route inside" statement...

route inside 123.45.67.0 255.255.255.0 192.168.19.238

But that doesn't seem to work, I get an error showing up in the log:

Oct 10 2008 14:23:42: %ASA-3-305006: portmap translation creation failed for tcp src inside:192.168.19.116/2778 dst inside:123.45.67.2/80

Am I trying to do something that is simply impossible on the ASA and perhaps I should recommend a 871 ROUTER?

Any thoughts?

2 REPLIES

Re: hairpin route on an ASA?

Just exclude that traffic from NAT as it seems you have nat-control enabled on the firewall.

access-list testacl permit ip 192.168.19.0 255.255.255.0 123.45.67.0 255.255.255.0

nat (inside) 0 access-list testacl

Pleae rate if helpful.

Regards

Farrukh

Cisco Employee

Re: hairpin route on an ASA?

Please add :

nat (inside) 1 0 0

global (inside) 1 interface

Regards,

Sushil

687
Views
0
Helpful
2
Replies
CreatePlease to create content