Why don't more organizations configure NAT U-turns/hairpins?

Solution 1:

Not everyone's network uses devices that can NAT at LAN speeds. It's not unusual to have devices that can route 100Mb/s but NAT a tenth of that while your LAN is all gigabit.

Often you have servers in the DMZ that you need high-speed access to locally. You want to back up your mail and web servers, right? And do you want your backups in the DMZ?

NAT also breaks long-lived, idle connections because the translation times out. Hairpin obscures the origin IP address, making audit trails useless. NAT, other than 1-to-1, is a painful hack, and you want internal traffic to be reliable.

Attack resistance is another issue. Connection flooding can cause your NAT device to run out of slots and there are companies that reboot their Internet-facing equipment regularly and would prefer not to disturb long-lived internal connections. Even if your equipment is entirely reliable, separating the internal network from the devices that handle the public IP space is just a good idea.

Solution 2:

This is how I was taught, so I don't have a better answer... but for me, it eliminates the reliance on the firewall device. In small businesses, the firewalls are typically low-end products (think Linksys/Dlink/Sonicwall). Relying on it to access internal resources from inside the network can create problems. It's a bad dependency.

I have a client now who reboots their Cisco ASA 5510 firewall several times a day to fix a VoIP problem for remote users (probably an xlate issue). For their internal users who use Exchange and the usual public/private services, having internal DNS redirection at least limits the impact of the firewall reboots.

Edit:

But I needed it in a pinch recently...

enter image description here