Cisco ASA Hairpin Internal Server

Rene, you are doing a great job. A very difficult topic explained in simple way.

Just to add, one reason why we need hairpining is that there are some applications in the DC which need to create control channels on the public IP in order to communicate hence they need inside to inside NAT.

1 Like

Hi Rene,
Seem picture mismatch with config , OUSIDE IP for Webserver is 192.168.2.220 or 192.168.2.200

object network WEB_SERVER
nat (INSIDE,OUTSIDE) static 192.168.2.200

Hi Nguyen,

You are correct, I just changed the text so that it shows 192.168.2.220 everywhere (not 2.200). Thanks!

Rene

Under hairpinning section, the following NAT config explained “destination static WEB_PUBLIC WEB_LOCAL: we only want to translate traffic that is destined to 192.168.2.220.”
But what about the WEB_LOCAL? What is that entered for?

Hello Ryan

When configuring a NAT translation, for both the source and destination, it is possible to specify both the “mapped object” as well as the “real object”. In this case, the WEB_PUBLIC object is the mapped object, while the WEB_LOCAL object is the real object. Note that when configured, as is the case here, the destination address can be specified to map to the desired address. Here, by specifying both, we are translating traffic that is destined to 192.168.2.220 but being translated to 192.168.1.2.

More information about this NAT configuration can be found in the following Cisco command reference:

I hope this has been helpful!

Laz

1 Like

Hello everyone, tell me I have a similar situation, there is an ip address of the local network server, there is an asa 5510 with an external address. I need to make a hairpin-that users from the internal network would dial the external address and get to my server. the problem is that Cisco Adaptive Security Appliance Software Version 7.0(8) and the syntax for writing code for this task is not suitable at all :frowning:
tell me how to solve this problem ?

Hello Vladimir

Yes, it is true that ASA 7.0 is an older version, and since then, many of the commands and implementation methods have changed. 7.0 was actually the first version of ASA to permit hairpinning. The following command reference will help you in the implementation:

Much of the Cisco documentation for ASA 7.0 (which was released over 15 years ago) is no longer available or has changed link addresses and is harder to find, but doing a bit of a search has brought up some results that will be able to help you in your configuration, beyond just this command reference.

I’m sorry I couldn’t have been more helpful!

Laz

thanks for your reply

Great Lesson. Well explained in a few words. enjoyed it…

Do we have a lesson with a local DNS server that resolves the hostname of the webserver to the local IP address that will function the same as the hair-pinning scenario as you mention in this lesson? I will love to know the setup please…
Thank you so much.

Hello Ayong

The note in the lesson concerning the use of a local DNS server does not actually change any of the hairpinning topology or configuration. The comment there is made to indicate that if you don’t have an internal DNS pointing the host to the web server’s internal IP address, the internal host will request the IP address resolution from a DNS server on the Internet. This will result in it receiving the web server’s public IP address and the route the traffic will take will be via the ASA (hairpinning).

Alternatively, if an internal DNS server exists, the host will receive the internal IP address from the DNS server and will not need to hairpin, but will simply go to the internal IP address of the web server which is on the same subnet, which means that the ASA will not be involved in this communication at all.

I hope this has been helpful!

Laz

I now understand. Thank you Laz.

1 Like

What would be the nat statement if the webserver was in a DMZ zone and using a public ip address?

Hello Christian

If you had a web server on the DMZ, then this wouldn’t be a hairpinning scenario. In that case, the NAT rule would be (INSIDE, DMZ) instead of (INSIDE, INSIDE). You would also have to redefine the WEB_LOCAL and WEB_PUBLIC objects as well.

I suggest you give it a try and do some troubleshooting to gain a full understanding.

I hope this has been helpful!

Laz

I was wondering If I could get some help… Your article is very good, but I have two private address 10.2.55.0 private server and a web server that has a 208 public address and 172.16.55 0 NAT to that public address. The Private server cannot reach either 172 or 208 addresses. Can I do this with hairpinning?

Thanks!

Hello John

From my understanding, your scenario is the same as the topology in the lab except that H1 and Web are in different subnets, but they’re both on INSIDE interfaces of the ASA. We can assume that H1 is your private server, and the web server in your scenario is the same as the web server in the lesson.

In this case, you can use hairpinning to allow your private server to reach the web server using the public address of 208.X.Y.Z. However, hairpinning will not fix the problem of communication of the private server with the private address of the web server. This is a communication between two INSIDE interfaces on the ASA. You will have to troubleshoot this case separately and independant of hairpinning.

Can you give us some more information about your topology and the configurations of your ASA? That way we can further help you in your troubleshooting process.

I hope this has been helpful!

Laz

Thanks for your reply. I only have one inside interface and one outside interface on my ASA. We don’t have a DMZ for the web servers.

I don’t need the private address of the server to reach the private address of the web server - I just need the private server to reach the outside address of the web server as it keeps failing.

It fails on both the Private address of the web server and public address of the web server. When i do Packet tracer on the ASA it says that from the private server to wither the private address or public address is denied my implicit rule.

That is why I thought hairpinning would work and I just wasn’t sure which address I should use on the ASA configuration - either private or public? It isn’t just one site there are a bunch of portal sites that I need the private server to reach as well and I have the public and private addresses. I just wanted to know if a private server address is to be used and either the private or public address should be used for the hairpinning?

Thanks so much for your help and great advice…

Hello John

Hairpinning will indeed solve your problem if you simply want the server to reach the outside address of the web server. This is what is being described in the lesson.

However, if you are not able to ping the private address, and if you want to further troubleshoot that reason, you have to keep the following in mind. You have a server with a 10.2.55.X address, and a web server that has a 172.16.55.X address. If you want those to communicate directly, then somewhere, routing must take place. If you only have a single INSIDE interface, how is routing taking place between these two subnets? We don’t have enough information about your topology to be able to help in the troubleshooting.

In any case, an implicit rule in the ASA packet tracer simply means that either the implicit deny statement in an ACL is being met, or the rule that states that traffic can only flow from a higher security level interface to a lower security level interface. This may help you in further troubleshooting.

I hope this has been helpful!

Laz

Hello,
Is there any way we can configure NAT hairpinning in Cisco routers?
I have seen in IOS,we can do with NVI. Any thoughts?
If any config example, please share.

Hello Ajimal

There are a couple of ways you can do this. The first, which is the “newer” way is to use what is known as NAT on a stick. This is where the NVI is used, as you mentioned. You can find out more about this configuration at the following lesson:

The older way of doing it is to use policy-based routing and NAT. An example of this can be found in this Cisco Community thread.

I hope this has been helpful!

Laz

You were absolutely correct and have the hairpinning working perfectly! Thanks to you and your site! I cannot thank you or your site enough… with start my CCNP training soon… thanks, again!

1 Like