No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Problem with Hairpin-NAT(or NAT loopback)

Publication Date:  2017-07-04 Views:  123 Downloads:  0
Issue Description

We have a LAN-network, 192.168.210.0/24. On that network there’s a switchboard on 192.168.210.242. There’s a port forward to access the switchboard from internet mapping port 80 to 80 on the LAN-network against 192.168.210.242.

When LAN-clients on 192.168.210.0/24 uses the public-IP of the firewall to access the switchboard through port forward (http://31.X.X.X) we get connection refused. The firewall is saying next HOP is 127.0.0.1.

Configuration:

nat server http zone untrust protocol tcp global interface GigabitEthernet0/0/1 www inside 192.168.210.242 www no-reverse 

#

nat-policy

rule name local_no_nat

  source-zone local

  destination-zone untrust

  action no-nat

rule name Internet

  destination-zone untrust

  action nat easy-ip

#



Handling Process

I have checked the NAT policy configuration, NAT server configuration and session table output:

nat server http zone untrust protocol tcp global interface GigabitEthernet0/0/1 www inside 192.168.210.242 www no-reverse 

#

nat-policy

rule name local_no_nat

  source-zone local

  destination-zone untrust

  action no-nat

rule name Internet

  destination-zone untrust   

  action nat easy-ip

#

<TJB-GAV2-FW01>display firewall session table verbose source inside 10.x.x.x destination inside 31.x.x.x
07:47:27  2017/05/31
Current Total Sessions : 3
  http  VPN:public --> public  ID: a48f3639e3060ca33592e750e
  Zone: trust--> local  TTL: 00:00:10  Left: 00:00:09
  Output-interface: InLoopBack0  NextHop: 127.0.0.1  MAC: 00-00-00-00-00-00
  <--packets:1 bytes:40   -->packets:1 bytes:48
  10.x.x.x:50782-->31.x.x.x:80 PolicyName: trust to loca







Root Cause

As you can see in the session table, source NAT it's not working:

<TJB-GAV2-FW01>display firewall session table verbose source inside 10.x.x.x destination inside 31.x.x.x

07:47:27  2017/05/31

Current Total Sessions : 3

  http  VPN:public --> public  ID: a48f3639e3060ca33592e750e

  Zone: trust--> local  TTL: 00:00:10  Left: 00:00:09

  Output-interface: InLoopBack0  NextHop: 127.0.0.1  MAC: 00-00-00-00-00-00

  <--packets:1 bytes:40   -->packets:1 bytes:48

  10.x.x.x:50782-->31.x.x.x:80 PolicyName: trust to local                          ---> source NAT it’s not working


Nat server is already configured, but no source NAT is configured.

The rule can be made like this.

#                                                                               
 rule name test                                                                 
  source-zone trust                                                             
  destination-zone trust                                                        
  destination-address 192.168.x.x mask 255.255.255.255                      
  action nat address-group xxx     

#                                                                               
nat address-group xxx 1                                                         
 mode pat                                                                       
 section 0 172.x.x.x 172.x.x.x
                                          
#    
Or you can use no pat mode


In the NAT server configuration we can see that the customer used the interface GigabitEthernet0/0/1:
nat server http zone untrust protocol tcp global interface GigabitEthernet0/0/1 www inside 192.168.210.242 www no-reverse 
 When internet users send traffic to public IP address through port 8080, The firewall can forward the traffic to the WEB server based on this mapping entry. 
 In this case the customer should not use the interface GigabitEthernet0/0/1 in NAT server configuration, he should use the public IP address of the WEB server.



Solution

Change the nat server configuration:

From - nat server http zone untrust protocol tcp global interface GigabitEthernet0/0/1 www inside 192.168.210.242 www no-reverse 

To    - nat server http zone untrust protocol tcp global interface (public IP address of the WEB server) www inside 192.168.210.242 www no-reverse 


Change the NAT-policy, besides the NAT server + source NAT. Nat server is already configured, you need to configure source NAT. 

From: 

#

nat-policy

rule name local_no_nat

  source-zone local

  destination-zone untrust

  action no-nat

rule name Internet

  destination-zone untrust   

  action nat easy-ip

#


To:

#                                                                               

 rule name test                                                                 

  source-zone trust                                                             

  destination-zone trust                                                        

  destination-address 192.168.x.xmask 255.255.255.255                      

  action nat address-group xxx     


#                                                                               

nat address-group xxx 1                                                         

 mode pat                                                                       

 section 0 172.x.x.x 172.x.x.x

                                          

#    

Or you can use no pat mode

You can use any address group that you want as long as it is some other subnet.


Suggestions

Hairpin-NAT is:

 In network computing, hairpinning (or NAT loopback) describes a communication between two hosts behind the same NAT device using their mapped endpoint. Because not all NAT devices support this communication configuration, applications must be aware of it.

Hairpinning is where a machine on the LAN is able to access another machine on the LAN via the external IP address of the LAN/router (with port forwarding set up on the router to direct requests to the appropriate machine on the LAN).

END