Setup U-Turn (Hairpinning) on Cisco ASA

Applies to: Cisco ASA firewalls
IOS requirement: ASA Version 7.2(1)

U-Turn (Hairpinning with static NAT) is used for making the outside interface (the one that points to the Internet) of an ASA device available to inside users. Let’s say you have enabled inbound http traffic on the outside interface, such as Static NAT to an inside Web server. By default, inside users wouldn’t be able to connect to that port on the outside interface, the ASA device wouldn’t have a path to route the traffic properly.

This is  a when the U-Turn feature comes into play. It enables the ASA device to route traffic from inside users the same way as if the traffic would come from outside.

Caution: Carefully consider the expected amount of traffic and the capabilities of your ASA device before you implement this solution, because it involves sending all traffic between the client and the Web server through the ASA device.

Step 1: Enabling traffic of same security level to pass

  • same-security-traffic permit intra-interface
    This command enables traffic of the same security level to transit the ASA device. The permit intra-interface keyword allows that same-security-traffic to enter and leave the same interface, thus hairpinning is enabled.

Step 2: Enabling hairpinned client access through ASA device

  • global (inside) 1 interface
    All traffic that crosses the security appliance must undergo NAT. This command uses the inside interface address of the security appliance in order to enable traffic that enters the inside interface to undergo PAT as it is hairpinned back out the inside interface.

Step 3: Create static NAT entry

  • static (inside,inside) {IP address of outside interface} {IP address of Web server} netmask
    This static NAT entry creates a second mapping for the public IP address of the WWW server. However, unlike the first static NAT entry that you have already in place, this time the internal address of the Web server is mapped to the inside interface of the ASA device. This allows the ASA to respond to requests that it sees for this address on the inside interface. Then, it redirects those requests to the real address of the Web server through itself.

Step 1 and 2 need to be done only once, as they are global statements. If you require U-Turn setup for multiple services, repeat step 3 for each of them.

  1. Thx It worked.

  2. This got me 90% of the way there, but I think my setup was a little different because I had 2 networks and behind the inside interface

    I needed to add the following commands to get it working:

    *in this scenario the servers are in network .20.0 and the machines attempting to gain access are in network .10.0

    same-security-traffic permit intra-interface
    global (inside) 1 interface
    nat (inside) 1
    static (inside,inside) netmask

    Thanks for the help

  3. How can this be done with version 9.x of the ASA? They’ve changed how nat is implemented completely.

Leave a Comment

NOTE - You can use these HTML tags and attributes:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>