Cisco ASA Hairpinning

How to enable Hairpinning Globally on Cisco ASA or best way to use it?  DNS rewrite used when can, but every setup requires some form of hairpinning recommendations please.
tafesAsked:
Who is Participating?
 
nodiscoCommented:
0
 
tafesAuthor Commented:
Is there a way to configure this for the whole inside network and subnets.  May be dynamic nat or something instead of creating an entry for each service?
0
 
tafesAuthor Commented:
I am new to experts exchange so hang with me.  here are some examples of what I am trying to do:

static (INSIDE,DELTACOM) tcp interface https 10.251.4.24 https netmask 255.255.255.255  dns
static (INSIDE,DELTACOM2) tcp 66.0.49.51 ftp-data 10.251.4.22 ftp-data netmask 255.255.255.255  dns
static (INSIDE,DELTACOM2) tcp 66.0.49.51 ftp 10.251.4.22 ftp netmask 255.255.255.255  dns
static (INSIDE,ATT) tcp 72.159.189.38 ftp-data 10.251.4.22 ftp-data netmask 255.255.255.255  dns
static (INSIDE,ATT) tcp 72.159.189.38 ftp 10.251.4.22 ftp netmask 255.255.255.255  dns
static (INSIDE,ATT) tcp 72.159.189.41 https 10.251.4.24 https netmask 255.255.255.255  dns
static (INSIDE,ATT) tcp 72.159.189.43 3727 10.251.4.42 3727 netmask 255.255.255.255  dns
static (INSIDE,ATT) tcp 72.159.189.43 444 10.251.4.48 https netmask 255.255.255.255  dns
static (INSIDE,ATT) tcp 72.159.189.44 https 10.251.4.26 https netmask 255.255.255.255  dns
static (INSIDE,ATT) tcp 72.159.189.44 3727 10.251.4.26 3727 netmask 255.255.255.255  dns
static (INSIDE,ATT) tcp 72.159.189.45 3727 10.251.4.53 3727 netmask 255.255.255.255  dns
static (INSIDE,DELTACOM) tcp 97.67.60.3 https 10.251.4.26 https netmask 255.255.255.255  dns
static (INSIDE,DELTACOM) tcp 97.67.60.3 3727 10.251.4.26 3727 netmask 255.255.255.255  dns
static (INSIDE,DELTACOM) tcp 97.67.60.3 5494 10.251.4.42 5494 netmask 255.255.255.255  dns
static (INSIDE,DELTACOM) tcp 97.67.60.4 444 10.251.4.48 https netmask 255.255.255.255  dns
static (INSIDE,DELTACOM) tcp 97.67.60.5 smtp 10.251.4.15 smtp netmask 255.255.255.255  dns
static (INSIDE,DELTACOM) tcp 97.67.60.5 https 10.251.4.15 https netmask 255.255.255.255  dns
static (INSIDE,INSIDE) tcp 97.67.60.5 https 10.251.4.15 https netmask 255.255.255.255  dns
static (INSIDE,DELTACOM) tcp 97.67.60.4 3727 10.251.4.29 3727 netmask 255.255.255.255  dns
static (INSIDE,INSIDE) tcp 72.159.189.38 ftp 10.251.4.22 ftp netmask 255.255.255.255
static (INSIDE,INSIDE) tcp 72.159.189.38 ftp-data 10.251.4.22 ftp-data netmask 255.255.255.255
static (INSIDE,INSIDE) tcp 72.159.189.41 https 10.251.4.24 https netmask 255.255.255.255
static (INSIDE,ATT) tcp 72.159.189.44 5494 10.251.4.42 5494 netmask 255.255.255.255
static (INSIDE,DELTACOM2) tcp 66.0.49.52 https 10.251.4.26 3727 netmask 255.255.255.255  dns
static (INSIDE,DELTACOM2) tcp 66.0.49.56 www 10.251.4.27 www netmask 255.255.255.255  dns
static (DMZ,DELTACOM2) tcp 66.0.49.54 www 10.251.12.2 www netmask 255.255.255.255  dns
static (DMZ,DELTACOM2) tcp 66.0.49.60 https 10.251.12.4 https netmask 255.255.255.255  dns
static (DMZ,DELTACOM2) tcp 66.0.49.60 3727 10.251.12.4 3727 netmask 255.255.255.255  dns
static (INSIDE,INSIDE) 72.159.189.45 10.251.4.53 netmask 255.255.255.255
static (INSIDE,INSIDE) 72.159.189.44 10.251.4.42 netmask 255.255.255.255
static (INSIDE,DMZ) 10.251.0.0 10.251.0.0 netmask 255.255.0.0
static (DMZ,DMZ) 10.251.12.0 10.251.12.0 netmask 255.255.255.0

Now without certain hairpinning statements:
static (INSIDE,INSIDE) 72.159.189.45 10.251.4.53 netmask 255.255.255.255
static (INSIDE,INSIDE) 72.159.189.44 10.251.4.42 netmask 255.255.255.255

I would like to enter in one statement allowing for all services published to be available even under the circumstance of hairpining.
0
Choose an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

 
nodiscoCommented:
hey there

Yes this command will do it in one for you - it enables hairpinning which allows traffic to go back in the interface it originated from - its not a 1 by 1 command.

same-security-traffic permit intra-interface


Theres more detail on the workings of it here:
Note the difference with "inter" versus "intra"
http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/s1_72.html#wp1289167

cheers
0
 
tafesAuthor Commented:
Here is an example debug with static statements and same-security enabled for both intra and inter.  I get nat traslation errors.
hair-pinning.pdf
0
 
tafesAuthor Commented:
Here is some more relevant information as well.  If I remove either static statement Deltacom the translation works for att.  If I try to add a hairpining rule for deltacom error creating rule because one for one rule exists already.  If I remove the (inside,inside) statement neither work for inside to inside even with the same-security-interface permit intra-interface.

static (INSIDE,DELTACOM) tcp interface https 10.251.4.24 https netmask 255.255.255.255  dns
static (INSIDE,ATT) tcp 72.159.189.41 https 10.251.4.24 https netmask 255.255.255.255  dns
static (INSIDE,INSIDE) tcp 72.159.189.41 https 10.251.4.24 https netmask 255.255.255.255
0
 
tafesAuthor Commented:
I reviewed your initial post and realized I missed this statement:
global (inside) 1 interface
This resolved issue.  Do I accept your first post?
Thanks.
0
 
nodiscoCommented:
First one is the relevant answer so yes

Glad you got it working!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.