• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 806
  • Last Modified:

Hairpinning

I have been given the task of hairpinning one of our VPNs so they can go out the same interface. We have a web filter and it is desired that when vpn users are connected they use our network internet connection so they pass through the web filter. I have no idea how to do this. I have read documentation from Cisco and still am a bit confused.
Could someone please give me a step by step procedure to do this using the ASDM for the ASA 5510.

Thanks in advance.
0
Jack_Knight
Asked:
Jack_Knight
  • 8
  • 5
1 Solution
 
batry_boyCommented:
The following URL goes over how to do this:

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/vpnsysop.html#wp1042114

Here are the commands:

same-security-traffic permit intra-interface
ip local pool vpnpool 192.168.200.1-192.168.200.254
global (outside) 1 interface
nat (outside) 1 192.168.200.0 255.255.255.0
group-policy DfltGrpPolicy attributes
split-tunnel-policy tunnelall


You can substitute "DfltGrpPolicy" with whatever VPN policy you are applying to your VPN users.
0
 
Jack_KnightAuthor Commented:
This does work, but I am still unable to go back out through the webfilter. All our users on the internal network have to pass through our webfilter. Our gateway is our internal router.
We need the hairpinned VPN to also pass through the webfilter.
0
 
batry_boyCommented:
Is it an web filter that is integrated with your firewall or a completely separate filter?  If it's separate, can you post a network diagram showing the filter's placement in relation to the firewall?
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
Jack_KnightAuthor Commented:
It is between the firewall and the internal router

Cloud--------Border Router-------Firewall------Web Filter------

***The web filter is a separate piece of hardware. It is called an IPRISM by ST Bernard***
I have also tried adding the VPN IP pool range in the IPRISM with no joy.

Sorry guess I could have posted an actual diagram...Very tired today...This is just one of many projects I have been given. I even tried to add a route back to the gateway from the VPN IP pool. The client chooses
one the the ip pool address and uses it as a gateway. I tried to route that network back to the internal gateway. I need to figure this out soon.
Thanks in advance.
0
 
batry_boyCommented:
Is your web filter installed in bridge or proxy mode?  If it's installed in bridge mode, I believe you'll be out of luck since you won't be able to force the web traffic from the VPN clients to take the network path that the web filter is in line with.

If it's in proxy mode, then it may be just a matter of configuring your VPN clients' web browser to point to the web filter while they are in a VPN session.  I've never pushed out or enforced a setting like this for external users, but I would at least try it as a test to see if that fixes it.

If you were using a firewall that has tight integration with the firewall such as Websense, then this wouldn't be a problem, but you're not...:(
0
 
Jack_KnightAuthor Commented:
"Is your web filter installed in bridge or proxy mode?"
I will check. That would make a big difference.

" I've never pushed out or enforced a setting like this for external users"
We are a city and this VPN will run on mobile laptops with an air card. We have to filter the traffic for the web.

"If you were using a firewall that has tight integration with the firewall such as Websense, then this wouldn't be a problem, but you're not...:("

This device was here when I started and I had very little to do with the configuration or management of it, till now.... :(

I think the proxy or bridge mode is the key. I will look at this right away.

Thanks!

I will let you know when I test this.
 

0
 
Jack_KnightAuthor Commented:
Still does not work. It looks like it is never getting to the web filter. With the hairpinning it looks like it is going in and out of the firewall without passing back through the web filter.
0
 
batry_boyCommented:
That is exactly right...that's why you need a tightly integrated web filter to work with hairpinning.  Websense has actual commands that are entered into the firewall configuration that passes any HTTP traffic that the firewall sees over to the Websense server for filtering.

I think if you're going to continue to use this web filter, the only way you're going to get VPN users to be filtered by it when they are connected is for you to use a different VPN server (other than your Internet firewall) such that you put the web filter in line with the VPN user's web traffic.  In other words, a separate device would terminate the VPN connections, and then that device could point to your internal router as its default gateway, which would then forward the web traffic to the web filter and then out the firewall.

I know this is not an optimal solution for you right now, but maybe another expert will have other ideas how to make your scenario work without any additional equipment.
0
 
Jack_KnightAuthor Commented:
You are right because I can't ping the internal interface of the firewall when on the VPN. I only have ping turned on at the internal interface. I can ping it from the LAN. I also contacted the manufacturer of the web filter and they basicially told me a similiar thing. I know they are not about to switch to another VPN server that is why they purchased the ASA. I hope there is another solution.
0
 
Jack_KnightAuthor Commented:
Okay folks, the plot thickens. I used this VPN through my broadband connection at home and was able to get the browser to proxy through the web filter. Now I just have to figure out why it would not happen with the laptop and the air card.
0
 
batry_boyCommented:
That's a positive sign.  Maybe your air card ISP is applying filtering of some sort, though I can't think of what that could be if it works from your house.  When you configure the proxy setup in your browser, do you connect to a specific port or is it just TCP 80?
0
 
Jack_KnightAuthor Commented:
Iprism uses another port which I configured with the proxy at home and it works. It also looks like all the VPNs are hairpinning. I guess the same-security-traffic permit intra-interface is a global command because even though I used a specific IP pool. I wish there was a way without using a proxy in the browser. I am also getting a bit nervous about security. What are the security implications? We only have a hand full of users right now. I also was messing around with pac files to get the browser to load the proxy when it sees the VPN connection. I better face it the home VPN users are going to have full blown access to the net and their files on the internal network.
0
 
Jack_KnightAuthor Commented:
Okay I guess I had missed before. There is an option in the firewall to set the proxy. All the info above was very helpful in motivating me to look at certain aspects of the problem. I thank you very much.
0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

  • 8
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now