[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1054
  • Last Modified:

Hairpinning on ASA

I am attempting to replace a Netscreen, which is the firewall for the main internet line with an ASA 5505(192.168.1.5). I have a second ASA (192.168.1.250) which is on a seperate internet line connecting to 3 other sites through VPN tunnels. All computers and servers use the main internet line(192.168.1.5) for the default gateway.
On the main ASA, I created routes to the subnets on the other end of the VPN tunnels pointing to the other ASA. I created nat exemptions between all subnets and enabled intra-interface communication on the inside VLAN.

What seems to be happening now is pings work and I am guessing that udp traffic is passing as well. I am seeing "DENY TCP(no connection) errors when trying to connect to remote computers. I assume this is because the packets are taking a different path back to the souce.

Is there a way to have the ASA not inspect local TCP traffic? My current workaround is to put static routes on the servers for the VPN subnets but this isn't a good long term solution

0
hindsight
Asked:
hindsight
  • 5
  • 2
  • 2
1 Solution
 
raptorjb007Commented:
Try using the following command to allow VPN traffic to bypass the ACL's.

sysopt connection permit-ipsec
0
 
JFrederick29Commented:
You are correct in why TCP traffic is not working.

Does the main Internet ASA have the security plus license?  If so, what I would do is create a 3rd VLAN on the main ASA and connect the VPN ASA to that VLAN so traffic to and from the VPN sites traverses the main ASA.  The alternative is to put a layer3 switch on the inside of the ASA and have it make routing decisions.
0
 
hindsightAuthor Commented:
There was one server I do not have control of. I was able to work around this issue by doing something similar to what you are suggesting. I put this route in the VPN ASA:

route inside 192.168.1.8 255.255.255.255 192.168.1.5

This forces return traffic through the main ASA for that one host. I could simply put the same entry in but for the whole subnet. It just seems like a mickey mouse workaround since the Netscreen had no problem with this setup. I was mainly hoping I could somehow get the Cisco to not inspect packets on it's trusted interface or at least do ip redirects. For now I am adding route add statements to the machines at the main site that need to access the other sites.

0
SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

 
JFrederick29Commented:
Well, it would be easy enough to just connect the inside interface of the VPN ASA to a "DMZ" or 3rd VLAN on the main ASA (if you are running the security plus license).  The outside would remain the same.  You wouldn't have to change routing at all at that point.
0
 
raptorjb007Commented:
Try this. I have not yet had the opportunity to configure hairpinning but there are some sites I have that it would be useful so I am interested to see how this works for you.

Enable intra-interface communications(I see you have done this)

same-security-traffic permit intra-interface

Apply PAT to the traffic as it traverses in then out the inside interface. You can attempt to NAT instead.

global (inside) 1 interface

Let me know if this works. If you still have trouble I may setup a test environment myself to see if I can get it working.
0
 
raptorjb007Commented:
any luck?
0
 
hindsightAuthor Commented:
I originally had seen an article about that and tried to NAT the traffic from the main site but it didnt seem to work. I think the problem with that is if someone from the remote site tries to send a packet to the main site, It wont be natted coming in, then the return packet would still go through the main Cisco on the way back and be Natted.
I may do the DMZ way because I am also considering adding a failover license so I could automatically route internet traffic through the VPN cisco if the main internet line ever goes down but haven't figured out how I'm going to do it..
0
 
raptorjb007Commented:
If the hairpinning conifg didn't work, either JFrederick29's solution or an internal router would be the next best thing.
0
 
raptorjb007Commented:
Any updates on this situation?
0

Featured Post

Turn Raw Data into a Real Career

There’s a growing demand for qualified analysts who can make sense of Big Data. With an MS in Data Analytics, you can become the data mining, management, mapping, and munging expert that today’s leading corporations desperately need.

  • 5
  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now