Cisco ASA Hairpin Internal Server

The Cisco ASA firewall doesn’t like traffic that enters and exits the same interface. This kind of traffic pattern is called hairpinning or u-turn traffic. In the first hairpin example I explained how traffic from remote VPN users was dropped when you are not using split horizon, this time we will look at another scenario.

Take a look at the following topology:

Cisco ASA Hairpin Internal Server

Above we have a webserver using IP address 192.168.1.2 on our internal LAN. The ASA is configured so that IP address 192.168.2.220 on the outside is translated to IP address 192.168.1.2. This allows users on the Internet to access our webserver.

The Cisco ASA firewall doesn't like traffic that enters and exits the same interface. This kind of traffic pattern is called hairpinning or u-turn traffic. In the first hairpin example I explained how traffic from remote VPN users was dropped when you are not using split horizon, this time we will l


What if we want our internal hosts to access the webserver using the same outside IP address (192.168.2.220) instead of its internal IP address (192.168.1.2)? We can do this by configuring hairpinning on our ASA. Take a look below:

Cisco ASA hairpin internal host

H1 is on the same subnet as the webserver but is trying to reach the webserver using IP address 192.168.2.220. With the default configuration of our ASA, traffic will be routed to the outside and will never end up at the webserver.

Instead of configuring hairpinning it might be a better idea to setup a local DNS server that resolves the hostname of the webserver to the local IP address.

Startup Configurations

Want to try this yourself? Here you will find the startup configuration of each device.

H1

hostname H1
!
interface GigabitEthernet0/1
 ip address 192.168.1.1 255.255.255.0
!
ip default-gateway 192.168.1.254
!
end

Web

hostname Web
!
interface GigabitEthernet0/1
 ip address 192.168.1.2 255.255.255.0
!
ip default-gateway 192.168.1.254
!
end

H2

hostname H2
!
interface GigabitEthernet0/1
 ip address 192.168.2.3 255.255.255.0
!
ip default-gateway 192.168.2.254
!
end

ASA1

hostname ASA1
!
interface GigabitEthernet0/0
 nameif OUTSIDE
 security-level 0
 ip address 192.168.2.254 255.255.255.0 
!             
interface GigabitEthernet0/1
 nameif INSIDE
 security-level 100
 ip address 192.168.1.254 255.255.255.0 
!
object network WEB_SERVER
 host 192.168.1.2
access-list OUTSIDE_TO_INSIDE extended permit tcp any host 192.168.1.2 
!
object network WEB_SERVER
 nat (INSIDE,OUTSIDE) static 192.168.2.220
access-group OUTSIDE_TO_INSIDE in interface OUTSIDE
!
: end

Let’s see how the ASA is configured at the moment:

ASA1# show xlate 
1 in use, 1 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
       s - static, T - twice, N - net-to-net
NAT from INSIDE:192.168.1.2 to OUTSIDE:192.168.2.220
    flags s idle 0:01:37 timeout 0:00:00

Above you can see that the ASA is currently only translating IP address 192.168.1.2 on the inside to IP address 192.168.2.220 on the outside. This allows a host on the outside to reach the webserver:

H2#
H2#telnet 192.168.2.220 80
Trying 192.168.2.220, 80 ... Open

H1 on the inside however is unable to reach the webserver using the outside IP address:

H1#telnet 192.168.2.220 80
Trying 192.168.2.220, 80 ... 
% Connection timed out; remote host not responding

Let’s fix this!

Configuration

The first thing we have to do is to tell our ASA to permit traffic that enters and exits the same interface:

ASA1(config)# same-security-traffic permit intra-interface

Now we can focus on the NAT configuration. First I will create some objects that match:

  • the subnet of the internal hosts (192.168.1.0 /24).
  • the translated outside IP address of the webserver.
  • the inside IP address of the webserver.
  • the TCP port that we use for HTTP traffic.

Here are the objects:

ASA1(config)# object-group network INTERNAL_HOSTS
ASA1(config-network-object-group)# network-object 192.168.1.0 255.255.255.0
ASA1(config)# object network WEB_PUBLIC
ASA1(config-network-object)# host 192.168.2.220
ASA1(config)# object network WEB_LOCAL
ASA1(config-network-object)# host 192.168.1.2
ASA1(config# object service HTTP
ASA1(config-service-object)# service tcp destination eq 80

Now we can configure the NAT translation:

We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now! Here is why:

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • Try for Just $1. The Best Dollar You've Ever Spent on Your Cisco Career!
  • Full Access to our 660 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)

505 Sign Ups in the last 30 days

satisfaction-guaranteed
100% Satisfaction Guaranteed!
You may cancel your monthly membership at any time.
No Questions Asked!

Tags: ,


Forum Replies

  1. Hi Rene,

    Nice Article . Please carry on .

    br/
    zaman

  2. Hi Rene,

    ASA1(config)# nat (OUTSIDE,OUTSIDE) source dynamic VPN_POOL interface

    I got few doubt about the above statements

    [1] Why is the key word SOURCE used in the NAT statement

    [2] waht effect it would make if the Dynamic is changed to Static in NAT statment

  3. STATIC is a one to 1 mapping ie public 8.8.8.8 maps to private 10.10.10.1 all the time.

    DYNAMIC would be used if you had multiple connections that needed to be NATTed as you can then define a range of IP addresses using an access list and when a NAT translation needed to be made, then it would use a free public IP address from the access list.

  4. Rene,

    I was thinking through how to lab up this lesson and was having trouble on the layout for the cloud that labeled outside and the vpn user. I was thinking the cloud was a router with regular ospf passing all traffic and the vpn user… Could you point me in the right direction (configs) on how to lab up this lesson

    thank you

  5. Hello Christopher

    Yes, actually, you’re on the right track. You can create a router with three interfaces, each on a different subnet. Say something like this:

    //cdn-forum.networklessons.com/uploads/default/original/1X/faa6c2a873f74ae636d9ace51661a2d25e161669.jpg

    In this case, all of the 10.10.X.X address space can be considered “the Internet.”

    You can use OSPF if you like to convey routing information to all routers involved, or you could use static routing if you like as well. Just keep in mind that both the ASA and R2 must be informed of each other’s netw

    ... Continue reading in our forum

Ask a question or join the discussion by visiting our Community Forum