Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Object Nat to Twice NAT configuration ASA5505 8.4

We have an ASA5505 that we need to enable hairpinning on....

In the old firmware versions, we used to be able to configure a public to private static mapping along with hairpinning by using

static (inside,outside) outside_ip inside_ip netmask

static (inside,inside) outside_ip inside_ip netmask

In 8.4, if I use object nat, the hairpin functionality works perfectly,

object network obj-insideip

  nat (inside,inside) static publicip

however, since object nat only allows a single nat statement, I was attempting to use a twice nat to enable the hairpin functionality, but have been unsuccessful in coming up with the right combination of parameters for the functionality.

nat (inside,inside) source static private_object public_object destination static public_object private_object

allows hairpinning to successully work from the same machine.  Meaning on any given host, I can ping itself using the private or public ip, but I can't get the right combination for hairpinning from any private host to another private host via the public ip.  Other combinations have yielded icmp responses, however, they specify the private IP as the source of the reply instead of the public ip.

Any insight into this issue would be appreciated.

New Member

Object Nat to Twice NAT configuration ASA5505 8.4


if this is your setup

Host A Private:

Host A Public:

Host B Private:

Host B Public:

When Host A tries to ping its translated ip address, the packet goes to the Default gateway of the PC which is the ASA.

The source ip address is and the destination ip address and it translated it back to , now the source ip address is and destination ip address is too.

And for ASA this is a land attack, where the source and destination ip address of the packet is same. And shouldn’t work.

Test 2

Host ASA tries to ping and the packet goes to the ASA and ASA translates it back to , and when packet reaches the source ip address is

Now Both and are connected on the same switch. Hence replies back directly to and sees it coming back from

ICMP works fine because it is stateless, but with TCP traffic in this case . the SYN packet goes through the ASA, the SYN+ACK goes directly from the to the without going through the ASA and then replies with an ACK which goes towards the ASA because ASA is the gateway of and ASA drops this packet because ASA never got the SYN+ACK for this connection and instead sees an ACK coming back and logs this message.

"Deny TCP (no connection) on interface inside due to ACK"

This is asymmetric routing in the network.

We can try this

"nat (inside,inside) source static any interface destination static publicip obj-insideip"

This will translate the source ip address of the packet to the inside interface of the ASA when tries to reach, and when this packet reaches the PC sees it coming from the inside interface of the ASA and hence this PC replies back to the Inside interface of the ASA rather than replying back directly to and this packet goes back to from the ASA and should see it coming back from

By this way all the three TCP packets go through one symetric routing path and ASA will not drop these connections.