How do you NAT Hairpin in IOS 8.3+

cisco ios loopback nat
38

As an obsolete ex-PIX/ASA admin I of course found this irresistible. I have no appliance (but an old PIX 506E running 6.3) to try it on, so it's kind of totally lame. But this is what I found in the online documentation for 9.1 and through some random Googling. Reference links are provided at the bottom of the post. So fingers crossed...

Assuming all other config is correct such as routing, access-lists etc, you would still need to use the command

same-security-traffic permit intra-interface

in order to have traffic from an inside client to an externally mapped address allowed to re-translate towards an internal server address, i.e. having it "hairpinned".

To port map the internal address i.i.i.i to the external address x.x.x.x you would prior to 8.3 have used the command

static (inside,inside) x.x.x.x i.i.i.i

in order to allow nat hairpinning for an internal host to the inside server using the external address gotten from dns. This differs from the regular "un-hairpinned" syntax which would be

static (inside,outside) x.x.x.x i.i.i.i

and which naturally also would be present to allow for external clients calling the server using the public ip.

In ver 8.3 and onward this syntax has been rewritten and the corresponding hairpinning-port map instruction to the ASA would look like this as one feeds it in:

asa-box(config)# object network my-outside-address-obj
asa-box(config-network-object)# host x.x.x.x
asa-box(config-network-object)# object network my-inside-address-obj
asa-box(config-network-object)# host i.i.i.i
asa-box(config-network-object)# nat (inside,inside) static my-outside-address-obj

This would be complemented with a regular "un-hairpinned" instruction too.

That seems to be the only real difference I can find, but am of course terribly curious as to how it works in practice.

I found the 9.1 command syntax for port address translation (i.e. corresponding to the old static command) here: http://www.cisco.com/en/US/docs/security/asa/asa91/configuration/firewall/nat_objects.html#wp1106703

I found an absolutely outstanding historical guide to the hairpinning syntax, showing the same example design as it would be configured throughout the different versions here: http://nat0.net/cisco-asa-hairpinning/

Best of luck!

Share:
38

Related videos on Youtube

Tyler M.
Author by

Tyler M.

Updated on September 18, 2022

Comments

  • Tyler M.
    Tyler M. over 1 year

    I'm remoted into a Linux machine that I don't own from my Windows machine. I've got 2 java files:

    DBConnect.java
Main.java

    I compile and run them fine on my machine and in my IDE (I'm using NetBeans). When I copy them to the remote Linux machine, the place they're located is:

    /home/NETID/myname/430

    I compile them using:

    javac *.java

    They compile successfully, which creates two new files:

    DBConnect.class
Main.class

    I then attempt to run Main.class. With each of the following commands, I get the error "Error: Could not find or load main class Main"

    java Main
java <pkg>.Main
java <pkg>/Main

    In my case, in NetBeans, my project is called MyProject. In the directory structure on the left-hand side of the IDE window, there is MyProject. Under that is a file called Source Packages. In that file is another thing called pkgMyProject. When I expand that, I see my two java files.

    Also, at the top of both Main.java and DBConnect.java, there is:

    package pkgMyProject;

    I've read some other questions here referring to this issue, but I'm having trouble understanding the answers. Also, many of the answers don't apply because I don't think I can set the classpath on the remote machine.

    When I check my classpath in my terminal (when I'm remotely connected) using...

    echo ${CLASSPATH}

    ...nothing is displayed.

    How can I find my classpath, and how can I run these files?

    • ewwhite
      ewwhite over 10 years
      And this is why internal DNS is a useful method to work around this. Sometimes hair pinning works, sometimes it doesn't. I haven't dug deep enough to find out why. Handling via DNS has been far more consistent in my environments.
    • ymonad
      ymonad about 5 years
      I don't think I can set the classpath on the remote machine. No, you can do something like java -cp . Main
    • ymonad
      ymonad about 5 years
      Also you can set CLASSPATH using export CLASSPATH=/path/to/somewhere if you are using bash
  • Novox
    Novox over 10 years
    I already have the following in my config: object network Internal_NAT_Range nat (inside,outside) static External_NAT_Range net-to-net as soon as I added: nat (inside,inside) static External_NAT_Range my traffic stopped flowing :/
  • ErikE
    ErikE over 10 years
    Have you got your access-lists in place for the nat (inside,inside)?
  • Novox
    Novox over 10 years
    I do not... please advise how that should work? I have object network External_NAT_Range range 162.208.56.3 162.208.59.255 description ARIN IPv4 object network Internal_NAT_Range range 172.17.56.3 172.17.59.255 and I wand the loopback (hairpinning) to allow any internal IP in the range range 172.17.56.3 172.17.59.255 to be able to access any IP in the range range 162.208.56.3 162.208.59.255
  • Novox
    Novox over 10 years
    do I want something like access-list hairpin_allow extended permit tcp object Internal_NAT_Range object External_NAT_Range with access-group hairpin_allow in interface inside?
  • Novox
    Novox over 10 years
    Thanks. I tried access-list hairpin_allow extended permit tcp object Internal_NAT_Range object External_NAT_Range with access-group hairpin_allow in interface inside and that didn't seem to fix the issue, also, that link, "nat0.net/cisco-asa-hairpinning" appears to be broken now... I'll try the wayback machine or google cache.
  • ErikE
    ErikE over 10 years
    OK, I've spent my evenings allowance but think I've identified the missing piece. I've found the pre-8.3 syntax and need to find/work out the post 8.3 one, but it will have to wait until another evening: One also needs to apply dynamic PAT to the client-to-server traffic (=source address of the client is rewritten as an ASA address), or the reply will be directed straight to the client using the servers internal address as source (which the client doesn't expect, it sent to ext). Pre-8.3 the command is similar to 'global (inside) 1 interface' a bit depending on setup. A link or two to follow..
  • ErikE
    ErikE over 10 years
  • Novox
    Novox over 10 years
    Thank you ErikE. I appreciate all your time you are putting into this. I checked those links and they refer to pre-8.3 IOS. I've updated my question to include more information which hopefully makes my situation more clear...
  • Novox
    Novox over 10 years
    FYI ErikE, there is a flurry of activity on my posting at the Cisco Support Site, supportforums.cisco.com/message/4111179. My original posting has been hijacked a little, but I'm just happy that there is discussion going on!
  • ErikE
    ErikE over 10 years
    That's brilliant Novox, I am very excited to be able to work with this without actually having access to a box, even if it makes it darned complicated too :-) However I'm too tired to really think tonight. If you gain insights through whatever channels please do share through writing your own answer!
  • GhostCat
    GhostCat about 5 years
    You might want to include the information given in the comments about setting up the classpath, too.
  • Tyler M.
    Tyler M. about 5 years
    Perfect, that worked. Few questions for you! 1) What's the purpose of having a directory of the package name in which all of those files are stored? Is it just like "here's a package of files, and they're all packaged up within this directory"? 2) What does the "." do when I'm running Main? Does it just mean "this directory"? 3) If it does, then I'm saying "run a java program, from this directory, but the path to the class file is to first go into pkgMyProject and it'll be there." Correct?
  • cristhiank
    cristhiank about 5 years
    1- it is a language specific requirement. In an enterprise project you will have a lot more than 2 classes. The folder/package structure allows you to separate your system in modules or layers according to your architecture. Also, usually you will package the compiled files in a .jar file to deploy them. 2- Yes it means “this directory” 3- Yes, the full class name in java consist of the package plus the class name in the file. It is called the fully qualified name.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Port Forwarding on Cisco Router
Can you ping a Cisco Router's Loopback Interface from a PC using PacketTracer
Configuring a loopback interface on a Cisco router
Is there any benefit in activating NAT loopback for basic video gaming? Does it help a PS4 use UPnP?
enabling loopback NAT
How to test whether a router supports NAT loopback?
Accessing a website via the webservers public IP from a PC within the same LAN
Why can I not ping my host behind the firewall? Cisco asa 5505
Cisco 881w AP factory reset
Cisco switchport is solid amber