Cisco ASA redirects

Posted on 2006-04-06
Medium Priority
Last Modified: 2013-11-16
I know that a Cisco PIX is NOT able to do a redirect, i mean, to route a packet back to the same interface it came from, but can a Cisco ASA do it ? I desperately need it to do it. Why is it not able to do it?

I know a firewall is not a router, but it should have certain routing capabilities to centralize all traffic.

Please help !!!
Question by:llandajuela
  • 3
  • 3
LVL 79

Expert Comment

ID: 16391792
PIX version 7.0 and the ASA will do it.
little PIX 501/506 does not support ver 7.0
515e and bigger only

It's called "hairpinning", using the following command:
   same-security-traffic permit intra-interface

Example configuration:


Author Comment

ID: 16394508
Thanks for the answer, lrmoore.

I think i saw a similar checkbox in ASDM, allowing traffic between same security level interfaces. I did mark it .

I am trying to route traffic from any "inside" client to other corporate sites back to the inside through the Firewall, but i am getting "Deny inbound connection from 192.168.1.x inside to 192.168.8.x inside" messages in the syslog.

Do i need to configure any access rule or NAT rule? The problem is that it wont let me configure a rule from inside to inside.

Here's the situation:

                           Inside ------------------------------   Cisco ASA   Public IP ------------ Internet
             Router to WAN
                         WAN sites ( for ex)

I want my inside hosts to have ASA's internal IP as their default gateway, and the ASA to route the WAN traffic back to the WAN router  through inside interface.

Can i do it? I hope i can?


LVL 79

Accepted Solution

lrmoore earned 2000 total points
ID: 16394944
That you still can't do.
You have little choice other than to set the WAN router's default pointing to the ASA and point your internal clients to the WAN router. This would be your best option.
A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.


Author Comment

ID: 16398259

i have 4 physical ports in my ASA 5510, but i only see 3 ethernet ports in ASDM. I use inside, outside and DMZ.

Would it work if i would have one more available port and connect it to the inside also ?

Can i purchase an extra license to have one more port available? (which i already physically have)

LVL 79

Expert Comment

ID: 16400297
My advice - use the simple solution.
If you have 4 physical ports, you should be able to see them/use them all

Expert Comment

ID: 16414409
I agree with lrmoore, the simplest solution is to just change the d.g. of the internal client to point to the WAN router.
If you don't want to do that and money is not an issue then purchase the ASA license upgrade so you can have another DMZ. Now when you have that done, you can transfer the WAN router connection to the new DMZ and do the following on the ASA:

1) initialize the new interface by assigning it an interface name, sec level and ip address
2) add some static or nat rule depending on the flow of traffic
3) create access-rules
4) add route for the wan sites on the ASA

Hope it helps.

Author Comment

ID: 16454829
Well, i have to accept it is not possible, but i still try to figure out why Cisco engineers don't want the PIX and ASA to do such a simple thing, when they are already capable of doing static routing, and even OSPF!.

Thank you guys, anyway.

Featured Post

When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This program is used to assist in finding and resolving common problems with wireless connections.
This article will show how Aten was able to supply easy management and control for Artear's video walls and wide range display configurations of their newsroom.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…

807 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question