ASA hairpin traffic

bighornsheepbighornsheep Member Posts: 1,506
Is anyone familiar with how to enable hairpin traffic on an ASA?

ie. local subnet with private IPs can connect to public address on the ASA and PAT will forward ports to machines on the DMZ.

thanks in advance!
Jack of all trades, master of none


  • stealthttstealthtt Member Posts: 14 ■□□□□□□□□□

    You can do this with static nat statements.
  • bighornsheepbighornsheep Member Posts: 1,506
    stealthtt wrote:
    You can do this with static nat statements.

    Thanks for the suggestion, but I think static nat won't work in this case because they have to be host to host or subnet to subnet, whereas I would need a subnet to host static nat in this case.

    Unless there is a way to do this?
    Jack of all trades, master of none
  • dtlokeedtlokee Member Posts: 2,378 ■■■■□□□□□□
    you are trying to forward specific ports on the inside to different servers on the DMZ interface? It sounds like policy NAT will do what you want but I am not totally clear on what you are trying to do.
    The only easy day was yesterday!
  • bighornsheepbighornsheep Member Posts: 1,506
    The ASA has public IP and private subnet doing PAT, there is vpn policy set up for public interface for users to login from home (by IP, not DNS), there is another DMZ zone that a separate vpn policy controls using group URL (again, by IP, not DNS).

    The problem now comes what if a user needs DMZ access from the private segment on the private interface on the ASA? I am not permitted to route those segments, they have to be separate, so they have to go through their VPN policies, but since there is no DNS, they have to go by the IP, the public IP.

    I've tried a whole bunch of things to get the NAT rules to work for this, but it seems like it won't work for what is setup, I will need to route the private segment out to another device in order for them to be able to come back into the DMZ via the public IP, unless you have a creative solution?
    Jack of all trades, master of none
Sign In or Register to comment.