Solved

Hairpinning on ASA

Posted on 2008-06-18
9
1,038 Views
Last Modified: 2008-11-05
I am attempting to replace a Netscreen, which is the firewall for the main internet line with an ASA 5505(192.168.1.5). I have a second ASA (192.168.1.250) which is on a seperate internet line connecting to 3 other sites through VPN tunnels. All computers and servers use the main internet line(192.168.1.5) for the default gateway.
On the main ASA, I created routes to the subnets on the other end of the VPN tunnels pointing to the other ASA. I created nat exemptions between all subnets and enabled intra-interface communication on the inside VLAN.

What seems to be happening now is pings work and I am guessing that udp traffic is passing as well. I am seeing "DENY TCP(no connection) errors when trying to connect to remote computers. I assume this is because the packets are taking a different path back to the souce.

Is there a way to have the ASA not inspect local TCP traffic? My current workaround is to put static routes on the servers for the VPN subnets but this isn't a good long term solution

0
Comment
Question by:hindsight
  • 5
  • 2
  • 2
9 Comments
 
LVL 6

Expert Comment

by:raptorjb007
ID: 21816929
Try using the following command to allow VPN traffic to bypass the ACL's.

sysopt connection permit-ipsec
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 21818387
You are correct in why TCP traffic is not working.

Does the main Internet ASA have the security plus license?  If so, what I would do is create a 3rd VLAN on the main ASA and connect the VPN ASA to that VLAN so traffic to and from the VPN sites traverses the main ASA.  The alternative is to put a layer3 switch on the inside of the ASA and have it make routing decisions.
0
 
LVL 1

Author Comment

by:hindsight
ID: 21819228
There was one server I do not have control of. I was able to work around this issue by doing something similar to what you are suggesting. I put this route in the VPN ASA:

route inside 192.168.1.8 255.255.255.255 192.168.1.5

This forces return traffic through the main ASA for that one host. I could simply put the same entry in but for the whole subnet. It just seems like a mickey mouse workaround since the Netscreen had no problem with this setup. I was mainly hoping I could somehow get the Cisco to not inspect packets on it's trusted interface or at least do ip redirects. For now I am adding route add statements to the machines at the main site that need to access the other sites.

0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 43

Accepted Solution

by:
JFrederick29 earned 500 total points
ID: 21821176
Well, it would be easy enough to just connect the inside interface of the VPN ASA to a "DMZ" or 3rd VLAN on the main ASA (if you are running the security plus license).  The outside would remain the same.  You wouldn't have to change routing at all at that point.
0
 
LVL 6

Expert Comment

by:raptorjb007
ID: 21828243
Try this. I have not yet had the opportunity to configure hairpinning but there are some sites I have that it would be useful so I am interested to see how this works for you.

Enable intra-interface communications(I see you have done this)

same-security-traffic permit intra-interface

Apply PAT to the traffic as it traverses in then out the inside interface. You can attempt to NAT instead.

global (inside) 1 interface

Let me know if this works. If you still have trouble I may setup a test environment myself to see if I can get it working.
0
 
LVL 6

Expert Comment

by:raptorjb007
ID: 21884356
any luck?
0
 
LVL 1

Author Comment

by:hindsight
ID: 21919047
I originally had seen an article about that and tried to NAT the traffic from the main site but it didnt seem to work. I think the problem with that is if someone from the remote site tries to send a packet to the main site, It wont be natted coming in, then the return packet would still go through the main Cisco on the way back and be Natted.
I may do the DMZ way because I am also considering adding a failover license so I could automatically route internet traffic through the VPN cisco if the main internet line ever goes down but haven't figured out how I'm going to do it..
0
 
LVL 6

Expert Comment

by:raptorjb007
ID: 21928180
If the hairpinning conifg didn't work, either JFrederick29's solution or an internal router would be the next best thing.
0
 
LVL 6

Expert Comment

by:raptorjb007
ID: 22054365
Any updates on this situation?
0

Featured Post

Connect further...control easier

With the ATEN CE624, you can now enjoy a high-quality visual experience powered by HDBaseT technology and the convenience of a single Cat6 cable to transmit uncompressed video with zero latency and multi-streaming for dual-view applications where remote access is required.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

There are two basic ways to configure a static route for Cisco IOS devices. I've written this article to highlight a case study comparing the configuration of a static route using the next-hop IP and the configuration of a static route using an outg…
Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question