Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Object Nat to Twice NAT configuration ASA5505 8.4

We have an ASA5505 that we need to enable hairpinning on....

In the old firmware versions, we used to be able to configure a public to private static mapping along with hairpinning by using

static (inside,outside) outside_ip inside_ip netmask 255.255.255.255

static (inside,inside) outside_ip inside_ip netmask 255.255.255.255

In 8.4, if I use object nat, the hairpin functionality works perfectly,

object network obj-insideip

  nat (inside,inside) static publicip

however, since object nat only allows a single nat statement, I was attempting to use a twice nat to enable the hairpin functionality, but have been unsuccessful in coming up with the right combination of parameters for the functionality.

nat (inside,inside) source static private_object public_object destination static public_object private_object

allows hairpinning to successully work from the same machine.  Meaning on any given host, I can ping itself using the private or public ip, but I can't get the right combination for hairpinning from any private host to another private host via the public ip.  Other combinations have yielded icmp responses, however, they specify the private IP as the source of the reply instead of the public ip.

Any insight into this issue would be appreciated.

1 REPLY
New Member

Object Nat to Twice NAT configuration ASA5505 8.4

Hi,

if this is your setup

Host A Private: 10.0.0.1

Host A Public: 172.20.0.1

Host B Private: 10.0.0.2

Host B Public: 172.20.0.2

When Host A tries to ping its translated ip address, the packet goes to the Default gateway of the PC which is the ASA.

The source ip address is 10.0.0.1 and the destination ip address 172.20.0.1 and it translated it back to 10.0.0.1 , now the source ip address is 10.0.0.1 and destination ip address is 10.0.0.1 too.

And for ASA this is a land attack, where the source and destination ip address of the packet is same. And shouldn’t work.

Test 2

Host ASA 10.0.0.1 tries to ping 172.20.0.2 and the packet goes to the ASA and ASA translates it back to 10.0.0.2 , and when packet reaches 10.0.0.2 the source ip address is 10.0.0.1.

Now Both 10.0.0.1 and 10.0.0.2 are connected on the same switch. Hence 10.0.0.2 replies back directly to 10.0.0.1 and 10.0.0.1 sees it coming back from 10.0.0.2.

ICMP works fine because it is stateless, but with TCP traffic in this case . the SYN packet goes through the ASA, the SYN+ACK goes directly from the 10.0.0.2 to the 10.0.0.1 without going through the ASA and then 10.0.0.1 replies with an ACK which goes towards the ASA because ASA is the gateway of 10.0.0.1 and ASA drops this packet because ASA never got the SYN+ACK for this connection and instead sees an ACK coming back and logs this message.

"Deny TCP (no connection) on interface inside due to ACK"

This is asymmetric routing in the network.

We can try this

"nat (inside,inside) source static any interface destination static publicip obj-insideip"

This will translate the source ip address of the packet to the inside interface of the ASA when 10.0.0.1 tries to reach 172.20.0.2, and when this packet reaches 10.0.0.2 the PC sees it coming from the inside interface of the ASA and hence this PC replies back to the Inside interface of the ASA rather than replying back directly to 10.0.0.1 and this packet goes back to 10.0.0.1 from the ASA and should see it coming back from 172.20.0.2

By this way all the three TCP packets go through one symetric routing path and ASA will not drop these connections.

Puneet

2167
Views
0
Helpful
1
Replies