Hairpinning is the term used when someone wants to redirect traffic from an internal network destined for the public IP of an internal resource back to the internal IP of the internal resource. It’s essentially a “U-Turn” for packets destined to travel externally when the ultimate destination is a NATed inside resource on your own network. If you Google this and look at forums, you will find overly-complicated, convoluted tech-talk and people posting their specific Cisco configs for others to look through and help them with their specific issues as opposed to an easy-to-understand generic formula for how to accomplish this relatively common request. So, let’s make it simple:
1.) Log into the Cisco ASDM
2.) Click on “Configuration” at the top, then click on “Interfaces” and click on the check box that says “Enable traffic between two or more hosts connected to the same interface”. This is equivalent to the command line “same-security-traffic permit intra-interface”. Once done, click “Apply” and then save the running config.
3.) Once you have done the above, you must click on “Firewall” down on the lower left and then highlight “NAT Rules”. Once in “NAT Rules” find the NATed public IP that you need hairpinned (if you did not yet created a NATed public IP to private IP, you can do so here) and then scroll over and make sure to click the checkboxes for “DNS Rewrite” for those NATed public IPs. Click “Apply” and then save the running config.
4.) Congratulations! Traffic from inside your network pointing to a Public DNS name which translates to a NATed public IP within the ASA should now be resolving to the internal IP instead. *NOTE* – This only works if you are trying to translate a public DNS record which would normally resolve to a public IP address that you have NATed to an internal IP address within the ASA. This will NOT allow direct public IP to internal IP translation.
Digg This | Save to del.icio.us
You can follow this conversation by subscribing to the comment feed for this post.