In 8.4, if I use object nat, the hairpin functionality works perfectly,
object network obj-insideip
nat (inside,inside) static publicip
however, since object nat only allows a single nat statement, I was attempting to use a twice nat to enable the hairpin functionality, but have been unsuccessful in coming up with the right combination of parameters for the functionality.
allows hairpinning to successully work from the same machine. Meaning on any given host, I can ping itself using the private or public ip, but I can't get the right combination for hairpinning from any private host to another private host via the public ip. Other combinations have yielded icmp responses, however, they specify the private IP as the source of the reply instead of the public ip.
When Host A tries to ping its translated ip address, the packet goes to the Default gateway of the PC which is the ASA.
The source ip address is 10.0.0.1 and the destination ip address 172.20.0.1 and it translated it back to 10.0.0.1 , now the source ip address is 10.0.0.1 and destination ip address is 10.0.0.1 too.
And for ASA this is a land attack, where the source and destination ip address of the packet is same. And shouldn’t work.
Host ASA 10.0.0.1 tries to ping 172.20.0.2 and the packet goes to the ASA and ASA translates it back to 10.0.0.2 , and when packet reaches 10.0.0.2 the source ip address is 10.0.0.1.
Now Both 10.0.0.1 and 10.0.0.2 are connected on the same switch. Hence 10.0.0.2 replies back directly to 10.0.0.1 and 10.0.0.1 sees it coming back from 10.0.0.2.
ICMP works fine because it is stateless, but with TCP traffic in this case . the SYN packet goes through the ASA, the SYN+ACK goes directly from the 10.0.0.2 to the 10.0.0.1 without going through the ASA and then 10.0.0.1 replies with an ACK which goes towards the ASA because ASA is the gateway of 10.0.0.1 and ASA drops this packet because ASA never got the SYN+ACK for this connection and instead sees an ACK coming back and logs this message.
"Deny TCP (no connection) on interface inside due to ACK"
This is asymmetric routing in the network.
We can try this
"nat (inside,inside) source static any interface destination static publicip obj-insideip"
This will translate the source ip address of the packet to the inside interface of the ASA when 10.0.0.1 tries to reach 172.20.0.2, and when this packet reaches 10.0.0.2 the PC sees it coming from the inside interface of the ASA and hence this PC replies back to the Inside interface of the ASA rather than replying back directly to 10.0.0.1 and this packet goes back to 10.0.0.1 from the ASA and should see it coming back from 172.20.0.2
By this way all the three TCP packets go through one symetric routing path and ASA will not drop these connections.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...