Cisco ASA: NAT Hairpinning

NAT hairpin or loopback is used to access hosts in a network from this same network using outside addresses. When this kind of access happens traffic goes from inside to outside and then back to inside i.e. it loops back hence the name.

Pre 8.3 version

Assuming dynamic NAT:

global (inside) 1 interface

Permit traffic between interfaces with the same security level:

same-security-traffic permit intra-interface

NAT rules:

static (inside,inside) 72.35.20.201 192.168.100.10 netmask 255.255.255.255

or

static (inside,inside) tcp 72.35.20.201 www 192.168.100.10 www netmask 255.255.255.255

Assuming:

nat (inside) 1 192.168.100.10

Also, assuming:

access-list acl_inside extended permit ip 192.168.100.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list acl_inside extended deny ip any any
access-group acl_inside in interface inside

Post 8.2 version

Permit traffic between interfaces with the same security level:

same-security-traffic permit intra-interface

NAT rules:

object network obj_any_hairpin
subnet 0.0.0.0 0.0.0.0
nat (inside,inside) dynamic interface

object network obj-192.168.100.10-hairpin
host 192.168.100.10
nat (inside,inside) static 72.35.20.201

or

nat (inside,inside) static 72.35.20.201 service tcp www www

Assuming:

object network obj-192.168.100.10
host 192.168.100.1
nat (inside,outside) static 72.35.20.201

Also, assuming:

access-list acl_inside extended permit ip 192.168.100.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list acl_inside extended deny ip any any
access-group acl_inside in interface inside