ASA: Hairpin/U-Turn

Many good posts 1, 2 are out there with details so I’m just posting it here my reference.

User from ASA inside network is trying to hit internal server on its public IP. Internal server is behind the same ASA. Internal user is PATed to ASA IP and server is NATed to another public IP on the same interface (outside).

User IP on Inside network – 10.10.10.0/24 – obj_inside

Inside server IP – 10.10.10.10 – obj_10.10.10.10

ASA public IP – 11.11.11.11

Outside server NATed IP – 11.11.11.12 – obj_11.11.11.12

Final NAT statements look as following.

Server public NAT.

nat (inside,outside) source static obj-10.10.10.10 obj-11.11.11.12

User hairpin.

nat (inside,inside) source dynamic obj_inside interface destination static obj-11.11.11.12 obj-10.10.10.10

Leave a reply:

Your email address will not be published.

Site Footer

Sliding Sidebar