[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now

x
?
Solved

Hairpinning on ASA

Posted on 2008-06-18
9
Medium Priority
?
1,047 Views
Last Modified: 2008-11-05
I am attempting to replace a Netscreen, which is the firewall for the main internet line with an ASA 5505(192.168.1.5). I have a second ASA (192.168.1.250) which is on a seperate internet line connecting to 3 other sites through VPN tunnels. All computers and servers use the main internet line(192.168.1.5) for the default gateway.
On the main ASA, I created routes to the subnets on the other end of the VPN tunnels pointing to the other ASA. I created nat exemptions between all subnets and enabled intra-interface communication on the inside VLAN.

What seems to be happening now is pings work and I am guessing that udp traffic is passing as well. I am seeing "DENY TCP(no connection) errors when trying to connect to remote computers. I assume this is because the packets are taking a different path back to the souce.

Is there a way to have the ASA not inspect local TCP traffic? My current workaround is to put static routes on the servers for the VPN subnets but this isn't a good long term solution

0
Comment
Question by:hindsight
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 2
  • 2
9 Comments
 
LVL 6

Expert Comment

by:raptorjb007
ID: 21816929
Try using the following command to allow VPN traffic to bypass the ACL's.

sysopt connection permit-ipsec
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 21818387
You are correct in why TCP traffic is not working.

Does the main Internet ASA have the security plus license?  If so, what I would do is create a 3rd VLAN on the main ASA and connect the VPN ASA to that VLAN so traffic to and from the VPN sites traverses the main ASA.  The alternative is to put a layer3 switch on the inside of the ASA and have it make routing decisions.
0
 
LVL 1

Author Comment

by:hindsight
ID: 21819228
There was one server I do not have control of. I was able to work around this issue by doing something similar to what you are suggesting. I put this route in the VPN ASA:

route inside 192.168.1.8 255.255.255.255 192.168.1.5

This forces return traffic through the main ASA for that one host. I could simply put the same entry in but for the whole subnet. It just seems like a mickey mouse workaround since the Netscreen had no problem with this setup. I was mainly hoping I could somehow get the Cisco to not inspect packets on it's trusted interface or at least do ip redirects. For now I am adding route add statements to the machines at the main site that need to access the other sites.

0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 
LVL 43

Accepted Solution

by:
JFrederick29 earned 2000 total points
ID: 21821176
Well, it would be easy enough to just connect the inside interface of the VPN ASA to a "DMZ" or 3rd VLAN on the main ASA (if you are running the security plus license).  The outside would remain the same.  You wouldn't have to change routing at all at that point.
0
 
LVL 6

Expert Comment

by:raptorjb007
ID: 21828243
Try this. I have not yet had the opportunity to configure hairpinning but there are some sites I have that it would be useful so I am interested to see how this works for you.

Enable intra-interface communications(I see you have done this)

same-security-traffic permit intra-interface

Apply PAT to the traffic as it traverses in then out the inside interface. You can attempt to NAT instead.

global (inside) 1 interface

Let me know if this works. If you still have trouble I may setup a test environment myself to see if I can get it working.
0
 
LVL 6

Expert Comment

by:raptorjb007
ID: 21884356
any luck?
0
 
LVL 1

Author Comment

by:hindsight
ID: 21919047
I originally had seen an article about that and tried to NAT the traffic from the main site but it didnt seem to work. I think the problem with that is if someone from the remote site tries to send a packet to the main site, It wont be natted coming in, then the return packet would still go through the main Cisco on the way back and be Natted.
I may do the DMZ way because I am also considering adding a failover license so I could automatically route internet traffic through the VPN cisco if the main internet line ever goes down but haven't figured out how I'm going to do it..
0
 
LVL 6

Expert Comment

by:raptorjb007
ID: 21928180
If the hairpinning conifg didn't work, either JFrederick29's solution or an internal router would be the next best thing.
0
 
LVL 6

Expert Comment

by:raptorjb007
ID: 22054365
Any updates on this situation?
0

Featured Post

Ask an Anonymous Question!

Don't feel intimidated by what you don't know. Ask your question anonymously. It's easy! Learn more and upgrade.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When speed and performance are vital to revenue, companies must have complete confidence in their cloud environment.
WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Suggested Courses

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question