Hairpinning with static NAT involves sending all traffic between the client and the WWW server through the security appliance. Carefully consider the expected amount of traffic and the capabilities of your security appliance before you implement this solution.
Hairpinning is the process by which traffic is sent back out the same interface on which it arrived. This feature was introduced in security appliance software version 7.0. For versions earlier than 7.2(1), it is required that at least one arm of the hairpinned traffic (inbound or outbound) be encrypted. From 7.2(1) and later, this requirement is no longer in place. Both the traffic inbound and the traffic outbound might be unencrypted when you use 7.2(1).
Hairpinning, in conjunction with a static NAT statement, can be used to achieve the same effect as DNS doctoring. This method does not change the contents of the DNS A-record that is returned from the DNS server to the client. Instead, when hairpinning is used, such as in the scenario discussed in this document, the client can use the address of 172.20.1.10 that is returned by the DNS server in order to connect.
Here is what the relevant portion of the configuration looks like when you use hairpinning and static NAT to achieve a DNS doctoring effect. The commands in bold are explained in greater detail at the end of this output:
ciscoasa(config)#show run : Saved : ASA Version 7.2(1) ! hostname ciscoasa !--- Output suppressed. same-security-traffic permit intra-interface !--- Enable hairpinning. global (outside) 1 interface !--- Global statement for client access to the Internet. global (inside) 1 interface !--- Global statment for hairpinned client access through !--- the security appliance. nat (inside) 1 192.168.100.0 255.255.255.0 !--- The NAT statement defines which traffic should be natted. !--- The whole inside subnet in this case. static (inside,outside) 172.20.1.10 192.168.100.10 netmask 255.255.255.255 !--- Static NAT statement mapping the WWW server's real address to a !--- public address on the outside interface. static (inside,inside) 172.20.1.10 192.168.100.10 netmask 255.255.255.255 !--- Static NAT statment mapping requests for the public IP address of !--- the WWW server that appear on the inside interface to the WWW server's !--- real address of 192.168.100.10.