Beruflich Dokumente
Kultur Dokumente
When the traffic comes from one source into ASA, makes a U-turn and goes back the same way it
came then it is referred to as U-turn traffic.
Visualize this and we see something that looks like a hairpin so this kind of traffic pattern is also
called Hairpinning.
The Cisco ASA firewall doesn’t like traffic that enters and exits the same interface and drops it.
We can allow the traffic entering and exiting same interface using command:
Now there is one scenario like we have a webserver using IP address 192.168.1.2 on our internal
LAN. The ASA is configured so that IP address 192.168.2.220 on the outside is translated to IP
address 192.168.1.2. This allows users on the Internet to access our webserver.
But when our internal hosts try to access the webserver using the same outside IP address
(192.168.2.220) instead of its internal IP address (192.168.1.2), connection is not established.
We can see that the ASA is currently only translating IP address 192.168.1.2 on the inside to IP
address 192.168.2.200 on the outside. This allows a host on the outside to reach the webserver:
H2#
H2#telnet 192.168.2.200 80
Trying 192.168.2.200, 80 ... Open
H1 on the inside however is unable to reach the webserver using the outside IP address:
H1#telnet 192.168.2.200 80
Trying 192.168.2.200, 80...
The first thing we have to do is to tell our ASA to permit traffic that enters and exits the same
interface:
#nat (inside, inside) source dynamic INTERNAL_HOSTS interface destination static WEB_PUBLIC
WEB_LOCAL
inspectingfirewalls@gmail.com
https://www.facebook.com/groups/inspectingfirewalls