Cisco ASA Hairpin Internal Server

The Cisco ASA firewall doesn’t like traffic that enters and exits the same interface. This kind of traffic pattern is called hairpinning or u-turn traffic. In the first hairpin example I explained how traffic from remote VPN users was dropped when you are not using split horizon, this time we will look at another scenario.

Take a look at the following topology:

Cisco ASA Hairpin Internal Server

Above we have a webserver using IP address on our internal LAN. The ASA is configured so that IP address on the outside is translated to IP address This allows users on the Internet to access our webserver.

What if we want our internal hosts to access the webserver using the same outside IP address ( instead of its internal IP address ( We can do this by configuring hairpinning on our ASA. Take a look below:

Cisco ASA hairpin internal host

H1 is on the same subnet as the webserver but is trying to reach the webserver using IP address With the default configuration of our ASA, traffic will be routed to the outside and will never end up at the webserver.

Instead of configuring hairpinning it might be a better idea to setup a local DNS server that resolves the hostname of the webserver to the local IP address.

Startup Configurations

Want to try this yourself? Here you will find the startup configuration of each device.


hostname H1
interface GigabitEthernet0/1
 ip address
ip default-gateway


hostname Web
interface GigabitEthernet0/1
 ip address
ip default-gateway


hostname H2
interface GigabitEthernet0/1
 ip address
ip default-gateway


hostname ASA1
interface GigabitEthernet0/0
 nameif OUTSIDE
 security-level 0
 ip address 
interface GigabitEthernet0/1
 nameif INSIDE
 security-level 100
 ip address 
object network WEB_SERVER
access-list OUTSIDE_TO_INSIDE extended permit tcp any host 
object network WEB_SERVER
 nat (INSIDE,OUTSIDE) static
access-group OUTSIDE_TO_INSIDE in interface OUTSIDE
: end

Let’s see how the ASA is configured at the moment:

ASA1# show xlate 
1 in use, 1 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
       s - static, T - twice, N - net-to-net
    flags s idle 0:01:37 timeout 0:00:00

Above you can see that the ASA is currently only translating IP address on the inside to IP address on the outside. This allows a host on the outside to reach the webserver:

H2#telnet 80
Trying, 80 ... Open

H1 on the inside however is unable to reach the webserver using the outside IP address:

H1#telnet 80
Trying, 80 ... 
% Connection timed out; remote host not responding

Let’s fix this!


The first thing we have to do is to tell our ASA to permit traffic that enters and exits the same interface:

ASA1(config)# same-security-traffic permit intra-interface

Now we can focus on the NAT configuration. First I will create some objects that match:

  • the subnet of the internal hosts ( /24).
  • the translated outside IP address of the webserver.
  • the inside IP address of the webserver.
  • the TCP port that we use for HTTP traffic.

Here are the objects:

ASA1(config)# object-group network INTERNAL_HOSTS
ASA1(config-network-object-group)# network-object
ASA1(config)# object network WEB_PUBLIC
ASA1(config-network-object)# host
ASA1(config)# object network WEB_LOCAL
ASA1(config-network-object)# host
ASA1(config# object service HTTP
ASA1(config-service-object)# service tcp destination eq 80

Now we can configure the NAT translation:

We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now! Here is why:

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • Try for Just $1. The Best Dollar You’ve Ever Spent on Your Cisco Career!
  • Full Access to our 786 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)

1585 Sign Ups in the last 30 days

100% Satisfaction Guaranteed!
You may cancel your monthly membership at any time.
No Questions Asked!


Forum Replies

  1. Excellent article Rene, have Cisco included the no-proxy-arp as implied on nat statements in the 9.x code ?

    this seemed to cause problems on 8.3 code with the Asa Arping for the internal web/mail server


  2. Hi Paul,

    Proxy arp can be a pain sometimes but I think the default since 8.4 is to have it enabled on the ASA. It is enabled on my ASA 9.5:

    ASA1# sh run all sysopt | i proxy
    no sysopt noproxyarp OUTSIDE
    no sysopt noproxyarp INSIDE
    ASA1(config)# show version | incl Version
    Cisco Adaptive Security Appliance Software Version 9.5(1)201 
    Device Manager Version 7.5(1)


  3. Hi Rene,

    Why need for access to web server using the public ip( whereas We can access the server locally (Directly).Which special scenario we will use like this ?
    Could you please explain further ?


  4. Hi Zaman,

    If possible, I wouldn’t implement hairpinning like this (inside to inside NAT). It is easier to use a DNS server for hosts on the inside that resolves hostname of the webserver to the local IP address and another DNS server on the outside that resolves to the public IP address.

    Some reasons I can think of why you still want something like this:

    • You don't want to manage two DNS servers. This allows you to use one IP address to reach the webserver...doesn't matter if you are on the inside or outside of the network.
    • You have laptops that are used on t
    ... Continue reading in our forum

  5. Hi Rene,

    The same your diagram, but I replace SWL2 to SWL3. Is it possible ?

33 more replies! Ask a question or join the discussion by visiting our Community Forum