Home‎ > ‎Security‎ > ‎

Hairpinning with Static NAT

Hairpinning with static NAT involves sending all traffic between the client and the WWW server through the security appliance. Carefully consider the expected amount of traffic and the capabilities of your security appliance before you implement this solution.

Hairpinning is the process by which traffic is sent back out the same interface on which it arrived. This feature was introduced in security appliance software version 7.0. For versions earlier than 7.2(1), it is required that at least one arm of the hairpinned traffic (inbound or outbound) be encrypted. From 7.2(1) and later, this requirement is no longer in place. Both the traffic inbound and the traffic outbound might be unencrypted when you use 7.2(1).

Hairpinning, in conjunction with a static NAT statement, can be used to achieve the same effect as DNS doctoring. This method does not change the contents of the DNS A-record that is returned from the DNS server to the client. Instead, when hairpinning is used, such as in the scenario discussed in this document, the client can use the address of 172.20.1.10 that is returned by the DNS server in order to connect.

Here is what the relevant portion of the configuration looks like when you use hairpinning and static NAT to achieve a DNS doctoring effect. The commands in bold are explained in greater detail at the end of this output:

ciscoasa(config)#show run
: Saved
:
ASA Version 7.2(1)
!
hostname ciscoasa

!--- Output suppressed.

same-security-traffic permit intra-interface

!--- Enable hairpinning.

global (outside) 1 interface

!--- Global statement for client access to the Internet.

global (inside) 1 interface

!--- Global statment for hairpinned client access through 
!--- the security appliance.

nat (inside) 1 192.168.100.0 255.255.255.0

!--- The NAT statement defines which traffic should be natted.  
!--- The whole inside subnet in this case.

static (inside,outside) 172.20.1.10 192.168.100.10 netmask 255.255.255.255

!--- Static NAT statement mapping the WWW server's real address to a 
!--- public address on the outside interface.

static (inside,inside) 172.20.1.10 192.168.100.10 netmask 255.255.255.255

!--- Static NAT statment mapping requests for the public IP address of 
!--- the WWW server that appear on the inside interface to the WWW server's
!--- real address of 192.168.100.10.

  • same-security-traffic—This command enables traffic of the same security level to transit the security appliance. The permit intra-interface keywords allow that same-security-traffic to enter and leave the same interface, thus hairpinning is enabled.

    Note: Refer to same-security-traffic for more information on hairpinning and the same-security-traffic command.

  • global (inside) 1 interface—All traffic that crosses the security appliance must undergo NAT. This command uses the inside interface address of the security appliance in order to enable traffic that enters the inside interface to undergo PAT as it is hairpinned back out the inside interface.

  • static (inside,inside) 172.20.1.10 192.168.100.10 netmask 255.255.255.255—This static NAT entry creates a second mapping for the public IP address of the WWW server. However, unlike the first static NAT entry, this time the address 172.20.1.10 is mapped to the inside interface of the security appliance. This allows the security appliance to respond to requests that it sees for this address on the inside interface. Then, it redirects those requests to the real address of the WWW server through itself.


    Source: http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968d1.shtml

Comments