Cisco Support Community
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Hairpin Static NAT

I created a hairpin NAT statement on an ASA so that users can access an internal website using it's external IP address.  I'm able to ping the site from the workstations without a problem, but I'm unable to pull up the site.  It works fine externally.  Anyone run into a similar issue?  Running 8.2(5).

Everyone's tags (4)
Super Bronze

Re: Hairpin Static NAT


You are most probably lacking a translation for the source address while you have the translation for the destination address.

What I mean is that the connection currently goes like this

  • Host connects to server public
  • Connection reaches ASA
  • ASA untranslates the destination address to the real IP address
  • The server sees the connection coming from a local IP address
  • The server replies to that local IP address directly wihtout sending the traffic to ASA (as it sees the source host in the same network)
  • Connection gets stuck because the traffic doesn flow correctly

So lets use these examples information to configure the correct translation

  • Local network
  • Server
  • Public IP address
  • Interfaces called "inside" and "outside"

Default Dynamic PAT for outbound

global (outside) 1 interface

nat (inside) 1

Static NAT outbound

static (inside,outside) netmask

Static NAT for local traffic

static (inside,inside) netmask

So you probably have all the above things in a similiar form already on the ASA.

What you need to add is this

global (inside) 1 interface

This  (together with the earlier "nat" command) will translated the users source address while connecting the server with the public IP address. Because we translate the users to ASAs "inside" interface IP address this means that ASA will see all the packets related to the connection and the connection should work.

Hope this helps

Please do remember to mark a reply as the correct answer if it answered your question.

Feel free to ask more if needed.

- Jouni

CreatePlease to create content