Will Cisco ASA static NAT on hairpin/U-turn on outside interface affect SSH access from outside interface?

Thanks for taking the time to look at this question. Presently, I have a Cisco ASA 5505 (8.2.x) with public IP address A.A.A.A. The only configured interface is the outside interface of the device. No internal interfaces are configured. Currently, this device's purpose is to redirect inbound HTTP traffic into a IPSEC tunnel back out the outside interface to remote host B.B.B.B. which is the other end of a VPN hosted by Ubuntu Server running Strongswan VPN 5.3.5 server. Strongswan then passes that traffic into an internal LXD container running Apache listening on port 80. I believe the Cisco configuration is called a "hairpin" or a "u-turn".

All of that runs great. No problems.

Now the question becomes, can I configure a regular static NAT rule on the Cisco ASA that will redirect all inbound traffic to A.A.A.A to public IP address B.B.B.B in the same manner through the tunnel? This static NAT rule would replace the existing static PAT rule. Will I lose my ability to SSH into the Cisco ASA device from the outside interface by doing so? Or does the Cisco ASA device make it so that the "ssh A.A.A.A outside" rule is matched before the static NAT rule comes into play? Or is there a way to send the whole IP's traffic over except for one port? Do my proposed changes look ok?

I've posted the relevant sections of the config below and my proposed changes are below the relevant sections:

interface Ethernet0/0
 switchport access vlan 2

interface Vlan2
 nameif outside
 security-level 0
 ip address A.A.A.A 

same-security-traffic permit intra-interface
access-list 100 extended permit ip any host 
access-list 101 extended permit ip any any 

global (outside) 1 interface
static (outside,outside) tcp interface www www netmask 
access-group 101 in interface outside
route outside [PUBLIC GW IP] 1

crypto ipsec transform-set aes_set esp-aes-256 esp-sha-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 30 match address 100
crypto map outside_map 30 set peer B.B.B.B 
crypto map outside_map 30 set transform-set aes_set
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 2
 authentication pre-share
 encryption aes-256
 hash sha     
 group 5      
 lifetime 28800

ssh A.A.A.A outside

tunnel-group B.B.B.B type ipsec-l2l
tunnel-group B.B.B.B ipsec-attributes
 pre-shared-key *****

My proposed changes to the Cisco ASA would be as follows:

remove the existing regular static PAT rule:

no static (outside,outside) tcp interface www www netmask

add in this regular static NAT rule:

static (outside,outside) interface netmask

Can I accomplish my goals of redirecting all inbound traffic to the outside interface over the VPN tunnel without losing SSH outside interface access? I'll admit, selfishly I'm trying to avoid making a long drive if it fails :-) Thanks again for taking a look. It is much appreciated.

Leave Your Comment

Leave a Reply

%d bloggers like this: