Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
16740
Views
29
Helpful
27
Replies

NAT Hairpinning on ASA 5505 [9.1(2)]

bill
Level 1
Level 1

‎12-06-2013 07:19 AM - edited ‎03-11-2019 08:13 PM

I can't seem to get nat hairpinning to work...  Most instructions on the internet indicate how to do this with commands available prior to 8.3.

I've tried the following:

same-security-traffic permit intra-interface

asa-box(config-network-object)# object network my-inside-address-obj
asa-box(config-network-object)# nat (inside,inside) static my-outside-address-obj

which didn't work.

Then I added:

access-list hairpin_allow extended permit tcp object Internal_NAT_Range object External_NAT_Range

with

access-group hairpin_allow in interface inside

which also didn't work (trying to show due dilligence here...).

Then I tried:

nat (inside,inside) source static Internal_NAT_Range Internal_NAT_Range destination static External_NAT_Range External_NAT_Range

Still a no go.

Finally, I added:

"9. To avoid packet-drops due to the asymmetric nature of routing that's occuring internally, we need the ASA to bypass stateful inspection for this particular traffic. For this, we need to configure the following:

ASA(config)#access-list tcp_bypass extended permit tcp object Internal_NAT_Range object External_NAT_Range

   !--- Configure the access list to specify the TCP traffic

   !--- that needs to by-pass inspection to improve the performance.

   !--- Configure the class map and specify the match parameter for the

   !--- class map to match the interesting traffic.

   ASA(config)#class-map tcp_bypass

   ASA(config-cmap)#description "TCP traffic that bypasses stateful firewall"

   ASA(config-cmap)#match access-list tcp_bypass

   !--- Configure the policy map and specify the class map

   !--- inside this policy map for the class map.

   ASA(config-cmap)#policy-map tcp_bypass_policy

   ASA(config-pmap)#class tcp_bypass

   !--- Use the set connection advanced-options tcp-state-bypass

   !--- command in order to enable TCP state bypass feature.

   ASA(config-pmap-c)#set connection advanced-options tcp-state-bypass

   !--- Use the service-policy policymap_name [ global | interface intf ]

   !--- command in global configuration mode in order to activate a policy map

   !--- globally on all interfaces or on a targeted interface.

   ASA(config-pmap-c)#service-policy tcp_bypass_policy inside"

Again, nothing...

My config (clean/before any of the above) is as follows...

...

object network External_NAT_Range

range x.x.56.3 x.x.59.255

object network Internal_NAT_Range

range 172.17.56.3 172.17.59.255

object network InternalIPs

subnet 172.17.56.0 255.255.248.0

object network VpnIPs

subnet 172.17.63.0 255.255.255.0

object network InternalIPs_OutOnly

range 172.17.60.1 172.17.62.254

...

nat (inside,outside) source static InternalIPs InternalIPs destination static VpnIPs VpnIPs no-proxy-arp route-lookup description Un-Nats VPN IPs

nat (inside,outside) source dynamic InternalIPs_OutOnly interface description Allows remaining interior network to access the Internet

!

object network Internal_NAT_Range

nat (inside,outside) static External_NAT_Range net-to-net

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 x.x.56.1 1

...

---------------------------------

I just want to be able to access an external resource, say, http://x.x.56.5 from an internal IP, say, 172.17.56.8

I tried to use DNS doctoring.  The configuration was much simpler, and worked, but when PTR requests came in from the internet, DNS Doctoring seemed to also translate the outbound responses to reflect my internal IP's which was obviously quite wrong...

Any help from you Cisco pros would be appreciated!

Thanks!

2 people had this problem
Labels:
0 Helpful
27 Replies 27

Julio Carvajal
VIP Alumni
VIP Alumni
In response to Carlomd

‎12-06-2013 01:09 PM

Hello Carlo,

That's it man.The asa shows its allowed

Do a capture on the inside interface to check the traffic flow.

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Carlomd
Level 1
Level 1
In response to Julio Carvajal

‎12-06-2013 01:13 PM

that was inside, let me try outside

crxasa# packet-tracer input inside tcp 208.x.x.12 smtp 12.x.x.35 80

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni
In response to Carlomd

‎12-06-2013 01:15 PM

Outside???

But aren't we supposed to be testing traffic from an inside user to a public IP address that actually belongs to an internal server???

That's what we are tshooting here.

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Carlomd
Level 1
Level 1
In response to Julio Carvajal

‎12-06-2013 01:23 PM

Sorry about that, it is inside, cause it's traffic from inside to outside

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni
In response to Carlomd

‎12-06-2013 01:25 PM

So, why U-turning???

My recommendation.. Open a new discussion, explain the issue, and let us know when you opent it.

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Carlomd
Level 1
Level 1
In response to Julio Carvajal

‎12-06-2013 01:33 PM

Sorry to confuse things, I do have the same issue as the OP, we can't get to an internal server that has a public IP or url. Just trying not have too many of the same threads, thanks.

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni
In response to Carlomd

‎12-06-2013 01:38 PM

Hello,

But traffic should not reach the outside bud (if we are talking about the same)

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni
In response to Julio Carvajal

‎12-06-2013 01:22 PM

Hello Carlo,

Why outside,

Explain your scenario cause then this will be a different issue than the owner of this post

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

bill
Level 1
Level 1
In response to Julio Carvajal

‎12-06-2013 01:34 PM

Yeah, I'm rather certain my issue is definitely inside,inside... my traffic should never need to touch the outside interface (I don't think).

I want my traffic originating from inside, a my private/internal IP, to essentially, bounce through the inside interface back (via the external ip) to a private/internal IP...

Perhaps a more thorough example:

1.) Internet IP x.x.56.7 is static net-to-net nat'd to 172.17.56.7 (an internal IP)

2.) My workstation has IP 172.17.56.18.

3.) I want to browse to http://x.x.56.7 and I want it to act AS-IF I were browsing to http://172.17.56.7

4.) I want it to work this way for my whole range of internal IP's 1:1 nat'd to my whole range of external IP's.

currently, browsing to http://x.x.56.7 hangs...

Thanks guys!


0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni
In response to bill

‎12-06-2013 01:38 PM

Hello,

Do the following

cap capin interface inside match tcp host 172.17.56.18 eq x.x.56.7 eq 80

cap asp type asp-drop all circular-buffer

then try to connect and share

show cap capin

show cap asp | include x.x.56.7

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Carlomd
Level 1
Level 1
In response to Julio Carvajal

‎12-06-2013 03:52 PM

Hi guys, it works for me now, thanks for all the tips.

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni
In response to Carlomd

‎12-06-2013 04:33 PM

Hello,

Sure man,  just Remember to rate all of the helpful posts 



Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Carlomd
Level 1
Level 1
In response to Carlomd

‎12-06-2013 12:59 PM

Hi Julio, yes I have it in there

same-security-traffic permit intra-interface

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card