Solved

Hairpinning on ASA

Posted on 2008-06-18
9
1,025 Views
Last Modified: 2008-11-05
I am attempting to replace a Netscreen, which is the firewall for the main internet line with an ASA 5505(192.168.1.5). I have a second ASA (192.168.1.250) which is on a seperate internet line connecting to 3 other sites through VPN tunnels. All computers and servers use the main internet line(192.168.1.5) for the default gateway.
On the main ASA, I created routes to the subnets on the other end of the VPN tunnels pointing to the other ASA. I created nat exemptions between all subnets and enabled intra-interface communication on the inside VLAN.

What seems to be happening now is pings work and I am guessing that udp traffic is passing as well. I am seeing "DENY TCP(no connection) errors when trying to connect to remote computers. I assume this is because the packets are taking a different path back to the souce.

Is there a way to have the ASA not inspect local TCP traffic? My current workaround is to put static routes on the servers for the VPN subnets but this isn't a good long term solution

0
Comment
Question by:hindsight
  • 5
  • 2
  • 2
9 Comments
 
LVL 6

Expert Comment

by:raptorjb007
ID: 21816929
Try using the following command to allow VPN traffic to bypass the ACL's.

sysopt connection permit-ipsec
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 21818387
You are correct in why TCP traffic is not working.

Does the main Internet ASA have the security plus license?  If so, what I would do is create a 3rd VLAN on the main ASA and connect the VPN ASA to that VLAN so traffic to and from the VPN sites traverses the main ASA.  The alternative is to put a layer3 switch on the inside of the ASA and have it make routing decisions.
0
 
LVL 1

Author Comment

by:hindsight
ID: 21819228
There was one server I do not have control of. I was able to work around this issue by doing something similar to what you are suggesting. I put this route in the VPN ASA:

route inside 192.168.1.8 255.255.255.255 192.168.1.5

This forces return traffic through the main ASA for that one host. I could simply put the same entry in but for the whole subnet. It just seems like a mickey mouse workaround since the Netscreen had no problem with this setup. I was mainly hoping I could somehow get the Cisco to not inspect packets on it's trusted interface or at least do ip redirects. For now I am adding route add statements to the machines at the main site that need to access the other sites.

0
 
LVL 43

Accepted Solution

by:
JFrederick29 earned 500 total points
ID: 21821176
Well, it would be easy enough to just connect the inside interface of the VPN ASA to a "DMZ" or 3rd VLAN on the main ASA (if you are running the security plus license).  The outside would remain the same.  You wouldn't have to change routing at all at that point.
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 
LVL 6

Expert Comment

by:raptorjb007
ID: 21828243
Try this. I have not yet had the opportunity to configure hairpinning but there are some sites I have that it would be useful so I am interested to see how this works for you.

Enable intra-interface communications(I see you have done this)

same-security-traffic permit intra-interface

Apply PAT to the traffic as it traverses in then out the inside interface. You can attempt to NAT instead.

global (inside) 1 interface

Let me know if this works. If you still have trouble I may setup a test environment myself to see if I can get it working.
0
 
LVL 6

Expert Comment

by:raptorjb007
ID: 21884356
any luck?
0
 
LVL 1

Author Comment

by:hindsight
ID: 21919047
I originally had seen an article about that and tried to NAT the traffic from the main site but it didnt seem to work. I think the problem with that is if someone from the remote site tries to send a packet to the main site, It wont be natted coming in, then the return packet would still go through the main Cisco on the way back and be Natted.
I may do the DMZ way because I am also considering adding a failover license so I could automatically route internet traffic through the VPN cisco if the main internet line ever goes down but haven't figured out how I'm going to do it..
0
 
LVL 6

Expert Comment

by:raptorjb007
ID: 21928180
If the hairpinning conifg didn't work, either JFrederick29's solution or an internal router would be the next best thing.
0
 
LVL 6

Expert Comment

by:raptorjb007
ID: 22054365
Any updates on this situation?
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Imagine you have a shopping list of items you need to get at the grocery store. You have two options: A. Take one trip to the grocery store and get everything you need for the week, or B. Take multiple trips, buying an item at a time, to achieve t…
The Cisco RV042 router is a popular small network interfacing device that is often used as an internet gateway. Network administrators need to get at the management interface to make settings, change passwords, etc. This access is generally done usi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now