Hairpinning traffic through ASA with State Bypass
Several years ago I wrote an article about the Woes of Using an ASA as a Default Gateway. I have received a lot of feedback about this post and recently had a request for an update around ASA > 8.3. When building this scenario out with current ASA code, I found that the base NAT configuration (internet only PAT) had no bearing on the hairpin configuration. As expected, I found the same challenge around state bypass. I wanted to share a current post that demonstrates the challenges and solutions when traffic is bounced off the inside interface of the ASA.
The requirements of the configuration are as follows–
- TestHost must be able to Telnet and Ping to Internet and PartnerHost
- The inside interface of asav-1 must be the default gateway for TestHost
- asav-1 is doing PAT for Internet destined traffic
- PartnerRTR and ParnterHost have been preconfigured as shown above
The following are the base configurations for all of the devices. The configuration of asav-1 does not seem to allow communication from TestHost to PartnerHost (100.1.1.0/24 network).
TestHost Configuration
hostname TestHost ! interface GigabitEthernet2 description to iosvl2-1 ip address 10.1.1.5 255.255.255.0 ! ip route 0.0. Continue reading
SDxCentral Weekly News Roundup — August 5, 2016
Big Switch Networks announced the company’s launch in Australia.
Worth Reading: Top performance items to watch
The post Worth Reading: Top performance items to watch appeared first on 'net work.