Cisco ASA Hairpin Internal Server

This topic is to discuss the following lesson:

Excellent article Rene, have Cisco included the no-proxy-arp as implied on nat statements in the 9.x code ?

this seemed to cause problems on 8.3 code with the Asa Arping for the internal web/mail server

Thanks

Hi Paul,

Proxy arp can be a pain sometimes but I think the default since 8.4 is to have it enabled on the ASA. It is enabled on my ASA 9.5:

ASA1# sh run all sysopt | i proxy
no sysopt noproxyarp OUTSIDE
no sysopt noproxyarp INSIDE
ASA1(config)# show version | incl Version
Cisco Adaptive Security Appliance Software Version 9.5(1)201 
Device Manager Version 7.5(1)

Rene

Hi Rene,

Why need for access to web server using the public ip(192.168.2.200) whereas We can access the server locally (Directly).Which special scenario we will use like this ?
Could you please explain further ?

br//
zaman

Hi Zaman,

If possible, I wouldn’t implement hairpinning like this (inside to inside NAT). It is easier to use a DNS server for hosts on the inside that resolves hostname of the webserver to the local IP address and another DNS server on the outside that resolves to the public IP address.

Some reasons I can think of why you still want something like this:

  • You don't want to manage two DNS servers. This allows you to use one IP address to reach the webserver...doesn't matter if you are on the inside or outside of the network.
  • You have laptops that are used on the inside and outside and have issues with DNS caching.

Rene

Hi Rene,

The same your diagram, but I replace SWL2 to SWL3. Is it possible ?

Hi Chheang,

That might be difficult. In this example, the ASA is the default gateway for both devices. If you have a L3 switch in the middle and the host/webserver in different subnets then the switch will do routing. This will cause issues.

Rene

Hi Rene

Is this the twice NAT?

Thanks
Palani

Twice NAT means you configure a source and destination in a single rule so yes, that’s pretty much what we do here. We specify the source (host) and the destination (webserver).

Hi Rene,

Thank you for your Article , its very good and simple to understand. I need your help to know how to configure the same thing But if ASA has a version 8.2 , i means the version with it Before 8.4 that you have do it in your example. Per my understanding its totally different and more complicated.

Would you mind please give me a summary about that with a simple example.

Thank you

Hi Sinan,

Glad to hear you like it. I probably won’t do this example for 8.2 as it might take some time and 8.2 is pretty old by now.

Rene

Hi Rene,

I have the following NAT Rule and I’ve broken it down the way you did in your example:

nat (Outside,Outside) source static MITH-PROD_1 NAT_MIRTH_PROD_1 destination static RWJBH_Rawway_NAT RWJBH_NewBrunswick

* (Outside,Outside): we are translating traffic from the outside that is going to the outside, this is the hairpinning part/u turn nat.
* source static MIRTH-PROD_1 NAT_MIRTH_PROD_1 the source of the traffic has to be host 10.10.15.175 and it has to be translated to the IP address of 192.16.10.1, this will be 192.16.10.1
* destination static RWJBH_RAAY_NAT RWJBH_NEWBRUNSWICK: the destination of the traffic is 10.254.254.67 and it has to be translated to customers real addresses.

The part I’m having a little confusion on is the destination part. Can you help clear this portion up in a simple way that is easy to understand?

Thanks

mismatch configuration -

just to be sure that i understand what i am reading i think there is a mismatch between the diagram and configuration . instead of the address 192.168.2.220 it has to be 192.168.2.200 in the diagram and i think in the configuration the object network WEB_SERVER it has to be WEB_LOCAL where there is the static nat for INBOUND TRAFFIC .
Please if i am wrong let me know , Many thanks

Hello Dionisis

Good catch! You are correct. I will let @ReneMolenaar know of the error and he can fix it.

Thanks again!

Laz

Hello Laz

Its important for me the details of a topic to understand a concept . So thanks for your reply.

Dionisis

1 Like

Hi Rene! Great Lesson. Just wanted to point out a typo that may need to be fixed. In the beginning of the lesson I think the webserver IP is supposed to indicate “192.168.1.2” not “192.168.2.2”. Please see below:

“Above we have a webserver using IP address 192.168.2.2 on our internal LAN. The ASA is configured so that IP address 192.168.2.220 on the outside is translated to IP address 192.168.1.2. This allows users on the Internet to access our webserver.”

1 Like

Hello Leroy

Yes you are correct and thanks for catching that. I’ll let @ReneMolenaar know.

Laz

Thanks Leroy, just fixed it!

No problem! Thank you Rene!

Rene, you are doing a great job. A very difficult topic explained in simple way.

Just to add, one reason why we need hairpining is that there are some applications in the DC which need to create control channels on the public IP in order to communicate hence they need inside to inside NAT.

1 Like