[Last Call] Learn how to a build a cloud-first strategyRegister Now

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2918
  • Last Modified:

Cisco ASA 9.1(5) Hairpin NAT

I have a network where I have 2 active interfaces on an ASA 5500 series firewall (inside,outside).

There are 2 networks on the inside interface, and

I have static NAT objects in place to accept outside requests for the public IP to the inside IP, all works fine.
I have a catch-all outbound PAT for the remaining IPs on the inside networks going to the Internet. Surfing works fine.

An example of one of the static NAT'd external host is:
object network server1
object network server1
 nat (inside,outside) static real.ip.addr.here

What I'm having a problem with is having other inside hosts get to the inside servers via their public IP. I can't use DNS rewrite in the NAT object as the DNS server is on the local network and DNS rewrite would never see the traffic, plus I believe DNS rewrite breaks DNSSEC. I'm trying to avoid having to run BIND with views enabled. I'm pretty sure that I need hairpinning, but I can't seem to figure out the format of the pre-auto NAT command that would make this work?
same-security-traffic permit intra-interface and same-security-traffic permit inter-interface are in the config already.

  • 3
  • 2
1 Solution
Pete LongConsultantCommented:
If your DNS Servers are on your LAN why not run splitDNS?

Windows - Setting Up Split DNS

goronyAuthor Commented:
I can run split DNS but I'm trying to combine this with virtualmin which doesn't automatically manage multiple views for BIND. Ultimately I'm trying to eliminate manual intervention or having to edit multiple zone files whenever a change is happening.
Pete LongConsultantCommented:
I've had a ponder on this, and the only way I can think of to do this would be put in-each internal network on a different physical or sub interface on the ASA. Even then I'd have to sit and think about all the NAT possibilities.

This would also mean the firewall was LAN routing, which is possible but not something I usually advocate unless its a very small network.
goronyAuthor Commented:
OK, so if I move the network to be like this:

outside inside dmz

"outside" interface has 1st public IP from provider assigned range, sec level 0
"inside" interface has, sec level 100
"dmz" interface has, sec level 50

standard NAT applies:
nat (inside,outside) source dynamic inside-subnet interface
nat (dmz,outside) source dynamic dmz-hosts interface
object network webserver
 nat (dmz,outside) static public.ip.goes.here

I can reach the server from the outside world.
I can ping from 10.1.1.(anything) to But I can't get "inside" hosts to access "public.ip.goes.here". I can't seem to figure out the extra nat (inside,dmz) combo that will NAT the outbound destination of public.ip.goes.here to the object webserver's private IP.......

goronyAuthor Commented:
OK, so figured it out with the DMZ setup. I was pointing the NAT at an object NAT which doesn't seem to work, so creating additional non-auto-NAT'd object and pointing the pre-auto-NAT at that works;

object network inside-subnet
object network webserver-inside
object network webserver-otuside
 host public.ip.here
nat (inside,dmz) source static inside-subnet inside-subnet destintation static webserver-outside webserver-inside no-proxy-arp

rinse, repeat.

I guess I really should clean up the configs by removing the auto-nat objects and just using the -inside and -outside objects for the (outside,dmz) NAT entries as well as the (inside,dmz) NAT entries at some point.

Featured Post

How to change the world, one degree at a time.

By embracing technology, we can solve even the biggest problems—including the gender gap.  By earning a degree from WGU, you have an opportunity to gain the knowledge, credentials, and experience it takes to thrive in today’s high-growth IT industry.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now