Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

hairpinning in asa 5510

Hi all,

My gateway is asa 5510 version 7.2(4) with ip In my network there is a router which is connected to other networks and There is a static route configured on my asa to direct traffic bound for and to pt to However from my pc i could not access the 2 networks and I thought hairpinning is supported on asa which allows same security traffic in and out the same interface. I added the command "same-security-traffic permit intra-interface" but it doesnt work. Must i also add "global (inside) 1 interface" command?

I also understand that there are admin who does dns rewrite or hairpinning to allow their dns clients to be able to access internal servers using public ip. Which method is better such that there is less overheads in terms of network traffic.

Pls advise. Thks in advance.


Re: hairpinning in asa 5510


If the ASA requires to NAT the traffic, then besides the ''same-security-traffic permit intra-interface'', you need the NAT rule you mentioned.

If you need further advice please specify.


Cisco Employee

Re: hairpinning in asa 5510

Typically, you do need the global statement if firewall is your default gateway and you are accessing other networks behind the router. This will ensure that firewall is seeing all the traffic and will not block any of the TCP traffic.

The DNS re-write option may not apply over here as we are looking at accessing a different network altogether. DNS rewrite is used when you have a server on the inside network (same as your clients) and you are trying to access that server using its public IP.

In this scenario, the best solution would be to make your router the default gateway for network and make firewall the default gateway for the router. This will ensure that the router will route subnets to corresponding interfaces and rest of the traffic to the firewall. This is the easiest and efficient solution as this will not burden your firewall of unnecessary NAT translations and also will not affect your traffic negatively.