U-turn traffic on Cisco ASA

On the Cisco ASA Firewall you can redirect the traffic on the incoming interface back to the incoming interface if you want. This feature is from Version 7.2.2 reachable. To demonstrate this feature I made a small test topology with a Cisco ASA Firewall and an internal router.

Topology:

Requirements:

On the Topology the Test PC should reach the 172.16.1.5 host.
The default gateway of the Test PC is the ASA firewall.

The ASA firewall should forward the traffic back on its inside interface to the Inside Router (172.18.2.254) and the Router should send the reply packets to the ASA and not directly to the host. To be able to solve this we need to configure a route map on the router.

ASA configuration:

hostname ciscoasa enable password 8Ry2YjIyt7RRXU24 encrypted names ! interface Ethernet0/0 nameif outside security-level 0 ip address 212.10.10.4 255.255.255.0 ! interface Ethernet0/1 nameif inside security-level 100 ip address 172.18.2.1 255.255.255.0 ! interface Ethernet0/2 shutdown no nameif no security-level no ip address ! interface Ethernet0/3 shutdown no nameif no security-level no ip address ! interface Management0/0 shutdown no nameif no security-level no ip address management-only ! passwd 2KFQnbNIdI.2KYOU encrypted ftp mode passive same-security-traffic permit intra-interface pager lines 24 logging enable logging console debugging mtu outside 1500 mtu inside 1500 no failover asdm image disk0:/asdm-522.bin no asdm history enable arp timeout 14400 static (inside,inside) 172.16.1.5 172.16.1.5 netmask 255.255.255.255 norandomseq route inside 172.16.1.0 255.255.255.0 172.18.2.254 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout uauth 0:05:00 absolute no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart telnet timeout 5 ssh timeout 5 console timeout 0 ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp ! service-policy global_policy global prompt hostname context

Inside Router configuration:

service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname Router ! boot-start-marker boot-end-marker ! ! no aaa new-model no network-clock-participate slot 1 no network-clock-participate wic 0 ip cef ! ! ! ! ! ! ! ! interface FastEthernet0/0 ip address 172.18.2.254 255.255.255.0 duplex auto speed auto ! interface FastEthernet0/1 ip address 172.16.1.1 255.255.255.0 ip policy route-map test duplex auto speed auto ! interface IDS-Sensor1/0 no ip address shutdown hold-queue 60 out ! ip route 0.0.0.0 0.0.0.0 172.18.2.1 ! ip http server no ip http secure-server ! access-list 101 permit ip host 172.16.1.5 172.18.2.0 0.0.0.255 route-map test permit 10 match ip address 101 set ip next-hop 172.18.2.1 ! ! ! control-plane ! ! ! ! line con 0 line 33 no activation-character no exec transport preferred none transport input all transport output pad telnet rlogin mop udptn v120 ssh line aux 0 line vty 0 4 password cisco login local line vty 5 15 login