Understand & Configure NAT Reflection, NAT Loopback, Hairpinning on Cisco ASA 5500-X for TelePresence ExpressWay and Other Applications
This article examines the concept of NAT Reflection, also known as NAT Loopback or Hairpinning, and shows how to configure a Cisco ASA Firewall running ASA version 8.2 and earlier plus ASA version 8.3 and later, to support NAT Reflection. NAT Reflection, is a NAT technique used when devices on the internal network (LAN) need to access a server located in a DMZ zone using its public IP address.
What’s interesting is that NAT Reflection is not supported by all firewall appliances, however Cisco ASA Firewalls provide 100% support, making any NAT scenario possible. NAT Reflection is also seen at implementations of Cisco’s Telepresence systems where the ExpressWay-C server on the internal network needs to communicate with the ExpressWay-E server in the DMZ zone using its public IP address.
Single 3-Port/Leg Firewall DMZ with one LAN interface ExpressWay-E Server
In the example below, ExpressWay-C with IP address 192.168.1.50 needs to access ExpressWay-E (DMZ zone, IP address 192.168.5.5) using its public IP address of 18.104.22.168. This type of setup also happens to be one of the two most popular configurations:
Figure 1. NAT Reflection on a 3-Port ASA Firewall with Cisco Telepresence (ExpressWay-C & ExpressWay-E)
ExpressWay-C packets traversing the ASA Firewall destined to ExpressWay-E’s public IP address will have the following transformation thanks to the NAT Reflection configuration:
- Destination IP address 22.214.171.124 is replacedwith Destination IP address 192.168.5.5 –ExpressWay-E’s private IP address. This is also known as Destination NAT (DNAT).
- The Source IP address 192.168.1.50 (ExpressWay-C) is replaced with Source IP address 192.168.5.1 – ASA’s DMZ interface IP address. This is also known as Source NAT (SNAT).
When ExpressWay-C packets arrive to the ExpressWay-E server, they will have the following source & destination IP address: Source IP: 192.168.5.1, Destination IP: 192.168.5.5
Translation of the source IP address (SNAT) of packets (192.168.1.50 to 192.168.5.1) for this traffic flow is optional however required specifically for the Cisco ExpressWay setup. The configuration commands for the above setup is as follows:
For ASA Versions 8.3 and later: