Wednesday, 17 February 2016

NAT hairpinning configuration with ASA 8.3+

A NAT hairpin is used to access hosts in a network from the same network that are using an outside address. Traffic goes from the inside to outside and then back to the inside - visualizing this it resembles a 'hairpin.'

Now lets say we had a server that was resolved to 66.77.88.99 internally (this might be a server attached to the outside interface or simply one on the internet - instead we want this IP address to translate to an internal IP on our side interface.

Now firstly in order to allow an inside address to access the outside address and then re-translate itself you are required to use the following command (which permits traffic between interfaces with the same security level):

same-security-traffic permit intra-interface

IOS Pre-8.3

static (inside,inside) 192.168.0.100 66.77.88.99 netmask 255.255.255.255

on IOS 8.3+

We can do this with twice NAT:

object network outside-server
host 66.77.88.99

object network inside-server
host 192.168.0.100
exit

object network inside-network
subnet 192.168.240.0 255.255.255.0

nat (inside,inside) source dynamic inside-network interface destination static outside-server inside-server

or alternatively with autonat:

object network myWebServer
host 66.77.88.99
nat (inside,inside) static 192.168.0.100

In conclusion - when we ping 66.77.88.99 we should see we are being translated to 192.168.0.100 - the easiest way to verify is to use either packet tracer or attempt to connect to the web server's HTTP port.

0 comments:

Post a comment