ASA hairpin traffic

Is anyone familiar with how to enable hairpin traffic on an ASA?

ie. local subnet with private IPs can connect to public address on the ASA and PAT will forward ports to machines on the DMZ.

thanks in advance!

Find more posts tagged with

Save $250 on 2025 certification boot camps from Infosec!

Book now with code EOY2025

Button

Comments

stealthtt

Hello,

You can do this with static nat statements.

bighornsheep

stealthtt wrote:

You can do this with static nat statements.

Thanks for the suggestion, but I think static nat won't work in this case because they have to be host to host or subnet to subnet, whereas I would need a subnet to host static nat in this case.

Unless there is a way to do this?

dtlokee

you are trying to forward specific ports on the inside to different servers on the DMZ interface? It sounds like policy NAT will do what you want but I am not totally clear on what you are trying to do.

bighornsheep

The ASA has public IP and private subnet doing PAT, there is vpn policy set up for public interface for users to login from home (by IP, not DNS), there is another DMZ zone that a separate vpn policy controls using group URL (again, by IP, not DNS).

The problem now comes what if a user needs DMZ access from the private segment on the private interface on the ASA? I am not permitted to route those segments, they have to be separate, so they have to go through their VPN policies, but since there is no DNS, they have to go by the IP, the public IP.

I've tried a whole bunch of things to get the NAT rules to work for this, but it seems like it won't work for what is setup, I will need to route the private segment out to another device in order for them to be able to come back into the DMZ via the public IP, unless you have a creative solution?