Link to home
Start Free TrialLog in
Avatar of Jack_Knight
Jack_KnightFlag for United States of America

asked on

Hairpinning

I have been given the task of hairpinning one of our VPNs so they can go out the same interface. We have a web filter and it is desired that when vpn users are connected they use our network internet connection so they pass through the web filter. I have no idea how to do this. I have read documentation from Cisco and still am a bit confused.
Could someone please give me a step by step procedure to do this using the ASDM for the ASA 5510.

Thanks in advance.
Avatar of batry_boy
batry_boy
Flag of United States of America image

The following URL goes over how to do this:

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/vpnsysop.html#wp1042114

Here are the commands:

same-security-traffic permit intra-interface
ip local pool vpnpool 192.168.200.1-192.168.200.254
global (outside) 1 interface
nat (outside) 1 192.168.200.0 255.255.255.0
group-policy DfltGrpPolicy attributes
split-tunnel-policy tunnelall


You can substitute "DfltGrpPolicy" with whatever VPN policy you are applying to your VPN users.
Avatar of Jack_Knight

ASKER

This does work, but I am still unable to go back out through the webfilter. All our users on the internal network have to pass through our webfilter. Our gateway is our internal router.
We need the hairpinned VPN to also pass through the webfilter.
Is it an web filter that is integrated with your firewall or a completely separate filter?  If it's separate, can you post a network diagram showing the filter's placement in relation to the firewall?
It is between the firewall and the internal router

Cloud--------Border Router-------Firewall------Web Filter------

***The web filter is a separate piece of hardware. It is called an IPRISM by ST Bernard***
I have also tried adding the VPN IP pool range in the IPRISM with no joy.

Sorry guess I could have posted an actual diagram...Very tired today...This is just one of many projects I have been given. I even tried to add a route back to the gateway from the VPN IP pool. The client chooses
one the the ip pool address and uses it as a gateway. I tried to route that network back to the internal gateway. I need to figure this out soon.
Thanks in advance.
Is your web filter installed in bridge or proxy mode?  If it's installed in bridge mode, I believe you'll be out of luck since you won't be able to force the web traffic from the VPN clients to take the network path that the web filter is in line with.

If it's in proxy mode, then it may be just a matter of configuring your VPN clients' web browser to point to the web filter while they are in a VPN session.  I've never pushed out or enforced a setting like this for external users, but I would at least try it as a test to see if that fixes it.

If you were using a firewall that has tight integration with the firewall such as Websense, then this wouldn't be a problem, but you're not...:(
"Is your web filter installed in bridge or proxy mode?"
I will check. That would make a big difference.

" I've never pushed out or enforced a setting like this for external users"
We are a city and this VPN will run on mobile laptops with an air card. We have to filter the traffic for the web.

"If you were using a firewall that has tight integration with the firewall such as Websense, then this wouldn't be a problem, but you're not...:("

This device was here when I started and I had very little to do with the configuration or management of it, till now.... :(

I think the proxy or bridge mode is the key. I will look at this right away.

Thanks!

I will let you know when I test this.
 

Still does not work. It looks like it is never getting to the web filter. With the hairpinning it looks like it is going in and out of the firewall without passing back through the web filter.
That is exactly right...that's why you need a tightly integrated web filter to work with hairpinning.  Websense has actual commands that are entered into the firewall configuration that passes any HTTP traffic that the firewall sees over to the Websense server for filtering.

I think if you're going to continue to use this web filter, the only way you're going to get VPN users to be filtered by it when they are connected is for you to use a different VPN server (other than your Internet firewall) such that you put the web filter in line with the VPN user's web traffic.  In other words, a separate device would terminate the VPN connections, and then that device could point to your internal router as its default gateway, which would then forward the web traffic to the web filter and then out the firewall.

I know this is not an optimal solution for you right now, but maybe another expert will have other ideas how to make your scenario work without any additional equipment.
You are right because I can't ping the internal interface of the firewall when on the VPN. I only have ping turned on at the internal interface. I can ping it from the LAN. I also contacted the manufacturer of the web filter and they basicially told me a similiar thing. I know they are not about to switch to another VPN server that is why they purchased the ASA. I hope there is another solution.
Okay folks, the plot thickens. I used this VPN through my broadband connection at home and was able to get the browser to proxy through the web filter. Now I just have to figure out why it would not happen with the laptop and the air card.
ASKER CERTIFIED SOLUTION
Avatar of batry_boy
batry_boy
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Iprism uses another port which I configured with the proxy at home and it works. It also looks like all the VPNs are hairpinning. I guess the same-security-traffic permit intra-interface is a global command because even though I used a specific IP pool. I wish there was a way without using a proxy in the browser. I am also getting a bit nervous about security. What are the security implications? We only have a hand full of users right now. I also was messing around with pac files to get the browser to load the proxy when it sees the VPN connection. I better face it the home VPN users are going to have full blown access to the net and their files on the internal network.
Okay I guess I had missed before. There is an option in the firewall to set the proxy. All the info above was very helpful in motivating me to look at certain aspects of the problem. I thank you very much.