Cisco ASA 9.1(5) Hairpin NAT

Posted on 2014-08-19
Last Modified: 2014-08-21
I have a network where I have 2 active interfaces on an ASA 5500 series firewall (inside,outside).

There are 2 networks on the inside interface, and

I have static NAT objects in place to accept outside requests for the public IP to the inside IP, all works fine.
I have a catch-all outbound PAT for the remaining IPs on the inside networks going to the Internet. Surfing works fine.

An example of one of the static NAT'd external host is:
object network server1
object network server1
 nat (inside,outside) static

What I'm having a problem with is having other inside hosts get to the inside servers via their public IP. I can't use DNS rewrite in the NAT object as the DNS server is on the local network and DNS rewrite would never see the traffic, plus I believe DNS rewrite breaks DNSSEC. I'm trying to avoid having to run BIND with views enabled. I'm pretty sure that I need hairpinning, but I can't seem to figure out the format of the pre-auto NAT command that would make this work?
same-security-traffic permit intra-interface and same-security-traffic permit inter-interface are in the config already.

Question by:gorony
    LVL 57

    Expert Comment

    by:Pete Long
    If your DNS Servers are on your LAN why not run splitDNS?

    Windows - Setting Up Split DNS


    Author Comment

    I can run split DNS but I'm trying to combine this with virtualmin which doesn't automatically manage multiple views for BIND. Ultimately I'm trying to eliminate manual intervention or having to edit multiple zone files whenever a change is happening.
    LVL 57

    Accepted Solution

    I've had a ponder on this, and the only way I can think of to do this would be put in-each internal network on a different physical or sub interface on the ASA. Even then I'd have to sit and think about all the NAT possibilities.

    This would also mean the firewall was LAN routing, which is possible but not something I usually advocate unless its a very small network.

    Author Comment

    OK, so if I move the network to be like this:

    outside inside dmz

    "outside" interface has 1st public IP from provider assigned range, sec level 0
    "inside" interface has, sec level 100
    "dmz" interface has, sec level 50

    standard NAT applies:
    nat (inside,outside) source dynamic inside-subnet interface
    nat (dmz,outside) source dynamic dmz-hosts interface
    object network webserver
     nat (dmz,outside) static

    I can reach the server from the outside world.
    I can ping from 10.1.1.(anything) to But I can't get "inside" hosts to access "". I can't seem to figure out the extra nat (inside,dmz) combo that will NAT the outbound destination of to the object webserver's private IP.......


    Author Comment

    OK, so figured it out with the DMZ setup. I was pointing the NAT at an object NAT which doesn't seem to work, so creating additional non-auto-NAT'd object and pointing the pre-auto-NAT at that works;

    object network inside-subnet
    object network webserver-inside
    object network webserver-otuside
    nat (inside,dmz) source static inside-subnet inside-subnet destintation static webserver-outside webserver-inside no-proxy-arp

    rinse, repeat.

    I guess I really should clean up the configs by removing the auto-nat objects and just using the -inside and -outside objects for the (outside,dmz) NAT entries as well as the (inside,dmz) NAT entries at some point.

    Featured Post

    PRTG Network Monitor: Intuitive Network Monitoring

    Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

    Join & Write a Comment

    This is about downgrading PIX Version 8.0(4) & ASDM 6.1(5) to PIX 7.2(4) and ASDM 5.2(4) but with only 64MB RAM and 16MB flash. Background: You have a Cisco Pix 515E which was running on PIX 7.2(4) and its supporting ASDM 5.2(4) without any i…
    This article will cover setting up redundant ISPs for outbound connectivity on an ASA 5510 (although the same should work on the 5520s and up as well).  It’s important to note that this covers outbound connectivity only.  The ASA does not have built…
    Internet Business Fax to Email Made Easy - With eFax Corporate (, you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
    This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor ( If you're looking for how to monitor bandwidth using netflow or packet s…

    746 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    16 Experts available now in Live!

    Get 1:1 Help Now