Understand & Configure NAT Reflection, NAT Loopback, Hairpinning on Cisco ASA 5500-X for TelePresence ExpressWay and Other Applications
This article examines the concept of NAT Reflection, also known as NAT Loopback or Hairpinning, and shows how to configure a Cisco ASA Firewall running ASA version 8.2 and earlier plus ASA version 8.3 and later, to support NAT Reflection. NAT Reflection, is a NAT technique used when devices on the internal network (LAN) need to access a server located in a DMZ zone using its public IP address.
What’s interesting is that NAT Reflection is not supported by all firewall appliances, however Cisco ASA Firewalls provide 100% support, making any NAT scenario possible. NAT Reflection is also seen at implementations of Cisco’s Telepresence systems where the ExpressWay-C server on the internal network needs to communicate with the ExpressWay-E server in the DMZ zone using its public IP address.
Note: Users seeking additional information on Network Address Translation concepts can visit our dedicated NAT Section that covers NAT in great depth.
Single 3-Port/Leg Firewall DMZ With One LAN Interface ExpressWay-E Server
In the example below, ExpressWay-C with IP address 192.168.1.50 needs to access ExpressWay-E (DMZ zone, IP address 192.168.5.5) using its public IP address of 203.40.40.5. This type of setup also happens to be one of the two most popular configurations:
Figure 1. NAT Reflection on a 3-Port ASA Firewall with Cisco Telepresence (ExpressWay-C & ExpressWay-E)
ExpressWay-C packets traversing the ASA Firewall destined to ExpressWay-E’s public IP address will have the following transformation thanks to the NAT Reflection configuration:
- Destination IP address 203.40.40.5 is replaced with Destination IP address 192.168.5.5 –ExpressWay-E’s private IP address. This is also known as Destination NAT (DNAT).
- The Source IP address 192.168.1.50 (ExpressWay-C) is replaced with Source IP address 192.168.5.1 – ASA’s DMZ interface IP address. This is also known as Source NAT (SNAT).
When ExpressWay-C packets arrive to the ExpressWay-E server, they will have the following source & destination IP address: Source IP: 192.168.5.1, Destination IP: 192.168.5.5
Translation of the source IP address (SNAT) of packets (192.168.1.50 to 192.168.5.1) for this traffic flow is optional however required specifically for the Cisco ExpressWay setup. The configuration commands for the above setup is as follows:
For ASA Versions 8.3 and later:
host 192.168.1.50
!
object network obj-192.168.5.5
host 192.168.5.5
!
object network obj-203.40.40.5
host 203.40.40.5
!
nat (inside,DMZ) source static obj-192.168.1.50 interface destination static
obj-203.40.40.5 obj-192.168.5.5
WARNING: All traffic destined to the IP address of the DMZ interface is being redirected.
WARNING: Users may not be able to access any service enabled on the DMZ interface.
NOTE: After the NAT command is applied you will receive the two above warning messages.
The last line in our ASA configuration performs Source NAT and Destination NAT in one command.
For ASA Versions 8.2 and earlier:
access-list INT-DMZ-IN extended permit ip host 192.168.1.50 host 203.40.40.5
static (inside,DMZ) interface access-list INT-DMZ-IN
!
access-list INT-DMZ-IN extended permit ip host 192.168.5.5 host 192.168.5.1
static (DMZ,inside) 203.40.40.5 access-list INT-DMZ-IN
As shown, there are two levels of NAT occurring for this scenario, both required by the Cisco Telepresence - ExpressWay infrastructure.
Dual 2-Port/Leg Firewalls DMZ With One LAN Interface ExpressWay-E Server
The second most popular setup involves two firewalls, one protecting our LAN (Firewall 2) and one protecting our DMZ (Firewall 1) while also limiting traffic hitting our LAN firewall:
Figure 2. NAT Reflection on a 2-Port ASA Firewall with DMZ for Cisco Telepresence (ExpressWay-C & ExpressWay-E)
In this slightly more complex setup, Firewall No.1 is where we apply NAT Reflection to inbound traffic from ExpressWay-C server destined to ExpressWay-E’s public IP address 203.40.40.5.
It’s important to note that returning traffic from ExpressWay-E to ExpressWay-C will have to pass through Firewall 1 again. If an attempt is made to direct returning traffic through Firewall 2 (bypassing Firewall 1) e.g via a static route, then we’ll have a condition known as Asymmetric Routing, possibly causing disruptions in the communication between the two servers.
Note: Asymmetric Routing occurs when returning traffic between two hosts does not follow the same route as the original traffic. This condition is not favored by Firewalls as they track traffic and expect returning traffic to follow the same path originally taken.
Firewall No.1 is also configured with a one-to-one static NAT mapping, directing all traffic towards 203.40.40.5 to 192.168.5.5.
ExpressWay-C packets traversing ASA Firewall 1 destined to ExpressWay-E’s public IP address will have the following transformation thanks to the NAT Reflection configuration:
- Destination IP address 203.40.40.5 is replaced with Destination IP address 192.168.5.5 –ExpressWay-E’s private IP address. This is also known as Destination NAT (DNAT).
- The Source IP address 192.168.1.50 (ExpressWay-C) is replaced with Source IP address 192.168.5.2 – Firewall 1’s internal interface IP address. This is also known as Source NAT (SNAT).
Firewall 2 does not perform any NAT for traffic between ExpressWay-C and ExpressWay-E. When ExpressWay-C packets arrive to the ExpressWay-E server, they will have the following source & destination IP address: Source IP: 192.168.5.2, Destination IP: 192.168.5.5
Translation of the source IP address (SNAT) of packets (192.168.1.50 to 192.168.5.2) for this traffic flow is optional however required specifically for the Cisco ExpressWay setup. The configuration commands for the above setup is as follows:
For ASA Versions 8.3 and later:
host 192.168.1.50
!
object network obj-192.168.5.5
host 192.168.5.5
!
object network obj-203.40.40.5
host 203.40.40.5
!
nat (inside,DMZ) source static obj-192.168.1.50 interface destination static
obj-203.40.40.5 obj-192.168.5.5
WARNING: All traffic destined to the IP address of the DMZ interface is being redirected.
WARNING: Users may not be able to access any service enabled on the DMZ interface.
NOTE: After the NAT command is applied you will receive the two above warning messages.
The last line in our ASA v8.3 and later configuration performs Source NAT and Destination NAT in one command.
For ASA Versions 8.2 and earlier:
static (inside,DMZ) interface access-list INT-DMZ-IN
!
access-list INT-DMZ-IN extended permit ip host 192.168.5.5 host 192.168.5.1
static (DMZ,inside) 203.40.40.5 access-list INT-DMZ-IN
Summary
NAT Reflection (NAT Loopback or Hairpinning) is a fairly new NAT concept to most but as we’ve seen it’s a fairly easy one to understand. Implementations of NAT Reflection are slowly becoming popular due to the new and complex technologies that require this type of NAT functionality – Telepresence and video conferencing being one of them. We covered NAT Reflection for the two most popular Firewall configurations including diagrams and ASA Firewall configuration commands.
Your IP address:
3.145.175.50
Wi-Fi Key Generator
Follow Firewall.cx
Cisco Password Crack
Decrypt Cisco Type-7 Passwords on the fly!