Will Cisco ASA static NAT on hairpin/U-turn on outside interface affect SSH access from outside interface?

Thanks for taking the time to look at this question. Presently, I have a Cisco ASA 5505 (8.2.x) with public IP address A.A.A.A. The only configured interface is the outside interface of the device. No internal interfaces are configured. Currently, this device's purpose is to redirect inbound HTTP traffic into a IPSEC tunnel back out the outside interface to remote host B.B.B.B. which is the other end of a VPN hosted by Ubuntu Server running Strongswan VPN 5.3.5 server. Strongswan then passes that traffic into an internal LXD container running Apache listening on port 80. I believe the Cisco configuration is called a "hairpin" or a "u-turn".

All of that runs great. No problems.

Now the question becomes, can I configure a regular static NAT rule on the Cisco ASA that will redirect all inbound traffic to A.A.A.A to public IP address B.B.B.B in the same manner through the tunnel? This static NAT rule would replace the existing static PAT rule. Will I lose my ability to SSH into the Cisco ASA device from the outside interface by doing so? Or does the Cisco ASA device make it so that the "ssh A.A.A.A 255.255.255.255 outside" rule is matched before the static NAT rule comes into play? Or is there a way to send the whole IP's traffic over except for one port? Do my proposed changes look ok?

I've posted the relevant sections of the config below and my proposed changes are below the relevant sections:

interface Ethernet0/0
 switchport access vlan 2

interface Vlan2
 nameif outside
 security-level 0
 ip address A.A.A.A 255.255.255.248 

same-security-traffic permit intra-interface
access-list 100 extended permit ip any host 172.16.0.100 
access-list 101 extended permit ip any any 

global (outside) 1 interface
static (outside,outside) tcp interface www 172.16.0.100 www netmask 255.255.255.255 
access-group 101 in interface outside
route outside 0.0.0.0 0.0.0.0 [PUBLIC GW IP] 1

crypto ipsec transform-set aes_set esp-aes-256 esp-sha-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 30 match address 100
crypto map outside_map 30 set peer B.B.B.B 
crypto map outside_map 30 set transform-set aes_set
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 2
 authentication pre-share
 encryption aes-256
 hash sha     
 group 5      
 lifetime 28800

ssh A.A.A.A 255.255.255.255 outside

tunnel-group B.B.B.B type ipsec-l2l
tunnel-group B.B.B.B ipsec-attributes
 pre-shared-key *****

My proposed changes to the Cisco ASA would be as follows:

remove the existing regular static PAT rule:

no static (outside,outside) tcp interface www 172.16.0.100 www netmask 255.255.255.255

add in this regular static NAT rule:

static (outside,outside) interface 172.16.0.100 netmask 255.255.255.255

Can I accomplish my goals of redirecting all inbound traffic to the outside interface over the VPN tunnel without losing SSH outside interface access? I'll admit, selfishly I'm trying to avoid making a long drive if it fails :-) Thanks again for taking a look. It is much appreciated.

Leave Your Comment