ASA Hair-pinning

What is hair-pinning?

Hair-pinning is when ASA appliance is receiving traffic on an interface and immediately sending traffic back out the same interface.

This feature could be enabled by using the following command:

ASA(config)# same-security-traffic permit intra-interface

Encrypted traffic can be redirected through same interface as encrypted and as a clear traffic - feature from ASA software version 7.2(1). Hair-pinning is useful for many different scenarios.

Let's consider following scenario.

R1 which is our test host is connected to ASA inside interface and same ASA interface is attached to R2. I know, looks a bit weird, but this is just simple scenario for the feature test.

ASA has route for network 172.16.2.0 over the router R2 (172.16.1.100)

ASA(config)# route inside 172.16.2.0 255.255.255.0 172.16.1.100

R1 has ASA 172.16.1.1 inside interface configured as default gateway.

GRE tunnel and policy to clear DF bit on Cisco Router

Tunneling provides a mechanism to transport packets of one protocol within another protocol. Generic Routing Encapsulation (GRE) is one of the available tunneling mechanisms which uses IP as the transport protocol and can be used for carrying many different protocols. Basically when you configure a tunnel, it is like you create a simple point-to-point connection between the two devices.


Let's consider following scenario with Cisco routers.

R1#show running-config interface tunnel 0
Building configuration...

Current configuration : 140 bytes
!
interface Tunnel0
 ip address 192.168.99.1 255.255.255.0
 keepalive 300 3
 tunnel source 192.168.1.1
 tunnel destination 192.168.2.3
end

R3#show running-config interface tunnel 0
Building configuration...

Current configuration : 140 bytes
!
interface Tunnel0
 ip address 192.168.99.3 255.255.255.0
 keepalive 300 3
 tunnel source 192.168.2.3
 tunnel destination 192.168.1.1

end

How to perform PATH MTU Discovery

Maximum Transmission Unit (MTU) is the largest data size (in bytes) permitted through the network. Ethernet interfaces have a default MTU of 1500 bytes, not including the Ethernet header or trailer. The value of the MTU depends on the type of the transmission link. The design of IP protocol resolves MTU differences by allowing routers to perform fragmentation of  IP datagrams if it is necessary. The receiving host is responsible for reassembling the fragments back into the original full size IP datagram. This article will help you determine and set up the correct MTU size.

To determine the correct MTU size for your network, you can perform specific ping test on the destination you are trying to go to like using another computer or a web address.

For Windows computers, use the following command for the ping test:  ping [url/local server or IP address] –f –l [xxxx number of bytes]

• Example: “ping www.google.com –f –l 1472”

For Mac computers, use the following command for the ping test:  ping [url/local server or IP address] –d –s [xxxx number of bytes]

• Example: “ping www.google.com –d –s 1472”

To show current MTU on Windows 7 or Windows Vista, from a command prompt: