Wednesday, June 12, 2013

ASA 8.4 and Hairpin NAT

I previously posted here about setting up Hairpin NAT on a Cisco ASA running version 8.2, but of course they changed the syntax yet again, so here is an updated version for 8.4. For those unaware, Hairpin NAT is what allows you to access a server by its public IP from inside the network. This is useful if you are not running split DNS or if you have needy users that want to be able to use the same IP wherever they are.

The procedure for this is actually a bit simpler, there are just a few commands required:

Allow the traffic to get turned around:

same-security-traffic permit intra-interface

Add the NAT rule for users without their own static mapping

object network obj_any_hairpin
 subnet 0.0.0.0 0.0.0.0

object network obj_any_hairpin
 nat (inside,inside) dynamic interface
Note that i separated these two blocks as that is how it usually appears in the config. The first block defines the object group, while the second one applies the NAT rule to it. This rule will match for any LAN users that do not have a static 1:1 mapping defined.

Add NAT rules for all static users

object network obj_10.10.10.10
 host 10.10.10.10
object network obj_10.10.10.10_hairpin
 host 10.10.10.10

object network obj_10.10.10.10
 nat (inside,outside) static 1.2.3.4
object network obj_10.10.10.10_hairpin
 nat (inside,inside) static 1.2.3.4

The object groups need to be separate so that you can apply different NAT rules to them. The first object group and the corresponding NAT rule is for the external access coming in, while the second set are the ones that allow the internal to internal traffic.

No comments:

Post a Comment