Solved

Hairpinning on ASA

Posted on 2008-06-18
9
1,040 Views
Last Modified: 2008-11-05
I am attempting to replace a Netscreen, which is the firewall for the main internet line with an ASA 5505(192.168.1.5). I have a second ASA (192.168.1.250) which is on a seperate internet line connecting to 3 other sites through VPN tunnels. All computers and servers use the main internet line(192.168.1.5) for the default gateway.
On the main ASA, I created routes to the subnets on the other end of the VPN tunnels pointing to the other ASA. I created nat exemptions between all subnets and enabled intra-interface communication on the inside VLAN.

What seems to be happening now is pings work and I am guessing that udp traffic is passing as well. I am seeing "DENY TCP(no connection) errors when trying to connect to remote computers. I assume this is because the packets are taking a different path back to the souce.

Is there a way to have the ASA not inspect local TCP traffic? My current workaround is to put static routes on the servers for the VPN subnets but this isn't a good long term solution

0
Comment
Question by:hindsight
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 2
  • 2
9 Comments
 
LVL 6

Expert Comment

by:raptorjb007
ID: 21816929
Try using the following command to allow VPN traffic to bypass the ACL's.

sysopt connection permit-ipsec
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 21818387
You are correct in why TCP traffic is not working.

Does the main Internet ASA have the security plus license?  If so, what I would do is create a 3rd VLAN on the main ASA and connect the VPN ASA to that VLAN so traffic to and from the VPN sites traverses the main ASA.  The alternative is to put a layer3 switch on the inside of the ASA and have it make routing decisions.
0
 
LVL 1

Author Comment

by:hindsight
ID: 21819228
There was one server I do not have control of. I was able to work around this issue by doing something similar to what you are suggesting. I put this route in the VPN ASA:

route inside 192.168.1.8 255.255.255.255 192.168.1.5

This forces return traffic through the main ASA for that one host. I could simply put the same entry in but for the whole subnet. It just seems like a mickey mouse workaround since the Netscreen had no problem with this setup. I was mainly hoping I could somehow get the Cisco to not inspect packets on it's trusted interface or at least do ip redirects. For now I am adding route add statements to the machines at the main site that need to access the other sites.

0
Surfing Is Meant To Be Done Outdoors

Featuring its rugged IP67 compliant exterior and delivering broad, fast, and reliable Wi-Fi coverage, the AP322 is the ideal solution for the outdoors. Manage this AP with either a Firebox as a gateway controller, or with the Wi-Fi Cloud for an expanded set of management features

 
LVL 43

Accepted Solution

by:
JFrederick29 earned 500 total points
ID: 21821176
Well, it would be easy enough to just connect the inside interface of the VPN ASA to a "DMZ" or 3rd VLAN on the main ASA (if you are running the security plus license).  The outside would remain the same.  You wouldn't have to change routing at all at that point.
0
 
LVL 6

Expert Comment

by:raptorjb007
ID: 21828243
Try this. I have not yet had the opportunity to configure hairpinning but there are some sites I have that it would be useful so I am interested to see how this works for you.

Enable intra-interface communications(I see you have done this)

same-security-traffic permit intra-interface

Apply PAT to the traffic as it traverses in then out the inside interface. You can attempt to NAT instead.

global (inside) 1 interface

Let me know if this works. If you still have trouble I may setup a test environment myself to see if I can get it working.
0
 
LVL 6

Expert Comment

by:raptorjb007
ID: 21884356
any luck?
0
 
LVL 1

Author Comment

by:hindsight
ID: 21919047
I originally had seen an article about that and tried to NAT the traffic from the main site but it didnt seem to work. I think the problem with that is if someone from the remote site tries to send a packet to the main site, It wont be natted coming in, then the return packet would still go through the main Cisco on the way back and be Natted.
I may do the DMZ way because I am also considering adding a failover license so I could automatically route internet traffic through the VPN cisco if the main internet line ever goes down but haven't figured out how I'm going to do it..
0
 
LVL 6

Expert Comment

by:raptorjb007
ID: 21928180
If the hairpinning conifg didn't work, either JFrederick29's solution or an internal router would be the next best thing.
0
 
LVL 6

Expert Comment

by:raptorjb007
ID: 22054365
Any updates on this situation?
0

Featured Post

Flexible connectivity for any environment

The KE6900 series can extend and deploy computers with high definition displays across multiple stations in a variety of applications that suit any environment. Expand computer use to stations across multiple rooms with dynamic access.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Monitor Internet Edge Router behind Firewall 2 30
Cisco Router Security Commands. 2 50
Home internet speed 20 45
Which will last longer in a laptop, HDD or SSD? 18 81
In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question