Wednesday 17 February 2016

NAT hairpinning configuration with ASA 8.3+

A NAT hairpin is used to access hosts in a network from the same network that are using an outside address. Traffic goes from the inside to outside and then back to the inside - visualizing this it resembles a 'hairpin.'

Now lets say we had a server that was resolved to internally (this might be a server attached to the outside interface or simply one on the internet - instead we want this IP address to translate to an internal IP on our side interface.

Now firstly in order to allow an inside address to access the outside address and then re-translate itself you are required to use the following command (which permits traffic between interfaces with the same security level):

same-security-traffic permit intra-interface

IOS Pre-8.3

static (inside,inside) netmask

on IOS 8.3+

We can do this with twice NAT:

object network outside-server

object network inside-server

object network inside-network

nat (inside,inside) source dynamic inside-network interface destination static outside-server inside-server

or alternatively with autonat:

object network myWebServer
nat (inside,inside) static

In conclusion - when we ping we should see we are being translated to - the easiest way to verify is to use either packet tracer or attempt to connect to the web server's HTTP port.


Post a Comment