Cisco ASA Hairpin Internal Server

Hi Rene,
Seem picture mismatch with config , OUSIDE IP for Webserver is 192.168.2.220 or 192.168.2.200

object network WEB_SERVER
nat (INSIDE,OUTSIDE) static 192.168.2.200

Hi Nguyen,

You are correct, I just changed the text so that it shows 192.168.2.220 everywhere (not 2.200). Thanks!

Rene

Under hairpinning section, the following NAT config explained “destination static WEB_PUBLIC WEB_LOCAL: we only want to translate traffic that is destined to 192.168.2.220.”
But what about the WEB_LOCAL? What is that entered for?

Hello Ryan

When configuring a NAT translation, for both the source and destination, it is possible to specify both the “mapped object” as well as the “real object”. In this case, the WEB_PUBLIC object is the mapped object, while the WEB_LOCAL object is the real object. Note that when configured, as is the case here, the destination address can be specified to map to the desired address. Here, by specifying both, we are translating traffic that is destined to 192.168.2.220 but being translated to 192.168.1.2.

More information about this NAT configuration can be found in the following Cisco command reference:

I hope this has been helpful!

Laz