Cisco ASA redirects

Posted on 2006-04-06
Last Modified: 2013-11-16
I know that a Cisco PIX is NOT able to do a redirect, i mean, to route a packet back to the same interface it came from, but can a Cisco ASA do it ? I desperately need it to do it. Why is it not able to do it?

I know a firewall is not a router, but it should have certain routing capabilities to centralize all traffic.

Please help !!!
Question by:llandajuela
    LVL 79

    Expert Comment

    PIX version 7.0 and the ASA will do it.
    little PIX 501/506 does not support ver 7.0
    515e and bigger only

    It's called "hairpinning", using the following command:
       same-security-traffic permit intra-interface

    Example configuration:


    Author Comment

    Thanks for the answer, lrmoore.

    I think i saw a similar checkbox in ASDM, allowing traffic between same security level interfaces. I did mark it .

    I am trying to route traffic from any "inside" client to other corporate sites back to the inside through the Firewall, but i am getting "Deny inbound connection from 192.168.1.x inside to 192.168.8.x inside" messages in the syslog.

    Do i need to configure any access rule or NAT rule? The problem is that it wont let me configure a rule from inside to inside.

    Here's the situation:

                               Inside ------------------------------   Cisco ASA   Public IP ------------ Internet
                 Router to WAN
                             WAN sites ( for ex)

    I want my inside hosts to have ASA's internal IP as their default gateway, and the ASA to route the WAN traffic back to the WAN router  through inside interface.

    Can i do it? I hope i can?


    LVL 79

    Accepted Solution

    That you still can't do.
    You have little choice other than to set the WAN router's default pointing to the ASA and point your internal clients to the WAN router. This would be your best option.

    Author Comment


    i have 4 physical ports in my ASA 5510, but i only see 3 ethernet ports in ASDM. I use inside, outside and DMZ.

    Would it work if i would have one more available port and connect it to the inside also ?

    Can i purchase an extra license to have one more port available? (which i already physically have)

    LVL 79

    Expert Comment

    My advice - use the simple solution.
    If you have 4 physical ports, you should be able to see them/use them all
    LVL 9

    Expert Comment

    I agree with lrmoore, the simplest solution is to just change the d.g. of the internal client to point to the WAN router.
    If you don't want to do that and money is not an issue then purchase the ASA license upgrade so you can have another DMZ. Now when you have that done, you can transfer the WAN router connection to the new DMZ and do the following on the ASA:

    1) initialize the new interface by assigning it an interface name, sec level and ip address
    2) add some static or nat rule depending on the flow of traffic
    3) create access-rules
    4) add route for the wan sites on the ASA

    Hope it helps.

    Author Comment

    Well, i have to accept it is not possible, but i still try to figure out why Cisco engineers don't want the PIX and ASA to do such a simple thing, when they are already capable of doing static routing, and even OSPF!.

    Thank you guys, anyway.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Better Security Awareness With Threat Intelligence

    See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

    I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
    This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor ( If you're looking for how to monitor bandwidth using netflow or packet s…

    761 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    7 Experts available now in Live!

    Get 1:1 Help Now