When configuring a Cisco ASA 5505 firewall, one common networking challenge is establishing connectivity where internal clients need to access internal servers using the server's external IP address. This scenario, known as NAT loopback or hairpin NAT, requires specific configuration to allow traffic to flow from inside → outside → back inside the network.
Here's what happens during a typical connection attempt:
1. Internal client (192.168.1.100) requests server.example.com (1.2.3.4)
2. ASA translates source IP to outside interface IP (NAT)
3. ASA receives packet on outside interface (1.2.3.4)
4. ASA needs to translate destination back to internal server IP
For a server at 192.168.1.50 with external IP 1.2.3.4:
1. Navigate to Configuration → NAT Rules
2. Add static NAT rule:
- Original Interface: inside
- Original Source: 192.168.1.50
- Translated Interface: outside
- Translated Address: 1.2.3.4
3. Add access rule:
- Source: inside network (192.168.1.0/24)
- Destination: 1.2.3.4
- Service: required ports (e.g., tcp/80, tcp/443)
- Action: PermitFor those preferring command-line configuration:
object network SERVER_INTERNAL
host 192.168.1.50
object network SERVER_EXTERNAL
host 1.2.3.4
nat (inside,outside) source static SERVER_INTERNAL SERVER_EXTERNAL
access-list INSIDE_IN extended permit tcp 192.168.1.0 255.255.255.0 host 1.2.3.4 eq www
access-group INSIDE_IN in interface insideFor optimal performance:
- Use split-brain DNS with internal records pointing to 192.168.1.50
- Alternatively, configure conditional forwarding on internal DNS
- Test with nslookup to verify resolution
When encountering issues:
show nat detail
show access-list
packet-tracer input inside tcp 192.168.1.100 1234 1.2.3.4 80 detailCommon pitfalls include missing access rules, incorrect NAT order, or DNS resolution problems.
When configuring a Cisco ASA 5505 firewall, one common network architecture challenge is enabling internal clients to access an internal server using its external public IP address. This scenario, often called "hairpin NAT" or "NAT loopback," occurs when traffic originates from inside the network, goes out through the firewall, and loops back in to reach the internal resource.
By default, when an internal client tries to access the external IP of your server:
- The request goes out through the ASA with source NAT
- The ASA performs destination NAT to translate the external IP to internal
- The server responds to the internal client directly (bypassing the ASA)
- The client drops the response because it doesn't match the original request's NAT state
Here's the complete ASDM/CLI configuration to enable hairpin NAT:
! Enable identity NAT for internal-to-external traffic object network INTERNAL_SERVER host 192.168.1.100 nat (inside,outside) static 203.0.113.5 service tcp 80 80 ! Add NAT exemption for internal clients object network INTERNAL_CLIENTS subnet 192.168.1.0 255.255.255.0 nat (inside,outside) static interface ! Configure access rules access-list OUTSIDE-IN extended permit tcp any host 203.0.113.5 eq www access-group OUTSIDE-IN in interface outside
The key components work together:
- Static NAT: Maps the internal server IP to its external IP bidirectionally
- Identity NAT: Makes internal clients appear to come from the outside interface IP
- Access Rules: Permits the traffic in both directions
After configuration, verify with these CLI commands:
show nat detail show access-list show conn address 192.168.1.100
Common issues and solutions:
- ACL conflicts: Check for conflicting rules with
show access-list - NAT order: Ensure manual NAT comes before auto NAT (
show run nat) - DNS issues: Internal DNS should resolve to internal IP, external to public IP
For web servers, consider implementing split DNS:
; Internal DNS zone server.internal. IN A 192.168.1.100 ; External DNS zone server.example.com. IN A 203.0.113.5
This avoids the hairpin scenario altogether by providing different resolutions based on client location.