• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2243
  • Last Modified:

How to Hairpin ssl cisco anyconnect ASA Version 8.0(4) same interface ipsec tunnels

How do I hairpin incomming anyconnect client ip local pool SSLClientPool 10.0.20.150-10.0.20.152 mask 255.255.255.0 to ipsec tunnel 10.0.10.0 network?  Both Vpn  and anyconnect clients connect to local network of 10.0.40.x fine.
ASA Version 8.0(4) 
!
hostname Confidential
domain-name Confidential.com
enable password encrypted
passwd encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.0.7.250 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 75.75.195.82 255.255.255.240
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa804-k8.bin
ftp mode passive
dns server-group DefaultDNS
 domain-name Confidential.com
same-security-traffic permit intra-interface
access-list outside_1_cryptomap extended permit ip 10.0.40.0 255.255.255.0 10.0.10.0 255.255.255.0 
access-list outside_1_cryptomap extended permit ip 10.0.40.0 255.255.255.0 10.0.6.0 255.255.255.0 
access-list outside_1_cryptomap extended permit ip 10.0.40.0 255.255.255.0 10.107.0.0 255.255.0.0 
access-list outside_1_cryptomap extended permit ip 10.0.40.0 255.255.255.0 10.0.4.0 255.255.255.0 
access-list outside_1_cryptomap extended permit ip 10.0.40.0 255.255.255.0 10.1.0.0 255.255.0.0 
access-list inside_nat0_outbound extended permit ip 10.0.40.0 255.255.255.0 10.0.10.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 10.0.40.0 255.255.255.0 10.106.0.0 255.255.0.0 
access-list inside_nat0_outbound extended permit ip any 10.0.20.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 10.0.40.0 255.255.255.0 10.0.6.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 10.0.40.0 255.255.255.0 10.107.0.0 255.255.0.0 
access-list inside_nat0_outbound extended permit ip 10.0.40.0 255.255.255.0 10.0.4.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 10.0.40.0 255.255.255.0 10.1.0.0 255.255.0.0 
access-list outside_2_cryptomap extended permit ip 10.0.40.0 255.255.255.0 10.106.0.0 255.255.0.0 
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool VpnPool 10.0.20.100-10.0.20.102 mask 255.255.255.0
ip local pool SSLClientPool 10.0.20.150-10.0.20.152 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-613.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 75.75.195.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa authentication enable console LOCAL 
aaa authentication http console LOCAL 
aaa authentication ssh console LOCAL 
aaa authentication telnet console LOCAL 
http server enable
http 10.0.40.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs 
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer 75.75.195.34 
crypto map outside_map 1 set transform-set ESP-3DES-MD5
crypto map outside_map 1 set security-association lifetime seconds 28800
crypto map outside_map 1 set security-association lifetime kilobytes 4608000
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set pfs 
crypto map outside_map 2 set peer 75.75.195.215 
crypto map outside_map 2 set transform-set ESP-3DES-MD5
crypto map outside_map 2 set security-association lifetime seconds 28800
crypto map outside_map 2 set security-association lifetime kilobytes 4608000
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
 enrollment self
 fqdn Confidential
 subject-name CN=Confidential
 no client-types
 crl configure
crypto ca trustpoint ASDM_TrustPoint1
 enrollment self
 subject-name CN=anyconnect.Confidential.com
 keypair CConfidential
 crl configure
crypto ca certificate chain ASDM_TrustPoint0
 certificate 0c7fea48
    30820213 3082017c a0030201 0202040c 7fea4830 0d06092a 864886f7 0d010104 
    0500304e 31183016 06035504 03130f57 696e6261 74636852 65706f72 74733132 
    30300609 2a864886 f70d0109 02162357 696e6261 74636852 65706f72 74732e57 
    696e6261 74636852 65706f72 74732e63 6f6d301e 170d3038 31303036 32313131 
    34305a17 0d313831 30303432 31313134 305a304e 31183016 06035504 03130f57 
    696e6261 74636852 65706f72 74733132 30300609 2a864886 f70d0109 02162357 
    696e6261 74636852 65706f72 74732e57 696e6261 74636852 65706f72 74732e63 
    6f6d3081 9f300d06 092a8648 86f70d01 01010500 03818d00 30818902 818100c3 
    a400ac30 7edce269 856e25f8 924ccd78 70d0375c faba145d 9e0aa586 1ea8949b 
    b634b999 51b22ffd c660ecb1 c069cd9e 0c1eef7a 815e856d d1e0c7f2 a993ef5b 
    c24308ab 32312f01 eaa40364 2ec73722 6b33dfb8 ee4c5276 9a0fa642 011fe2b3 
    3b71eae2 4f60a4f6 de1f7514 360441ac 1f3e3965 2c933601 774dd276 7b7b8502 
    03010001 300d0609 2a864886 f70d0101 04050003 8181005a 23e0fb24 fe408cc1 
    d1083739 98578aa2 7e2e9642 db7d0807 551d9b63 e10265f8 9e24d58f 7461d8e8 
    d8ee93db 50bf5445 d561f686 13ae4acd ee8c29db 47d8403e 59ecca01 29fade09 
    f9e2129d f2d05a5d c6b65dfa 7e4afd55 11441f34 17309529 1ea0b382 745aad06 
    c9376451 88044b14 7bd7ac77 7c2d0044 f87e103c 174854
  quit
crypto ca certificate chain ASDM_TrustPoint1
 certificate 12081a49
    30820231 3082019a a0030201 02020412 081a4930 0d06092a 864886f7 0d010104 
    0500305d 31273025 06035504 03131e61 6e79636f 6e6e6563 742e5769 6e626174 
    63685265 706f7274 732e636f 6d313230 3006092a 864886f7 0d010902 16235769 
    6e626174 63685265 706f7274 732e5769 6e626174 63685265 706f7274 732e636f 
    6d301e17 0d303831 31313132 32333235 305a170d 31383131 30393232 33323530 
    5a305d31 27302506 03550403 131e616e 79636f6e 6e656374 2e57696e 62617463 
    68526570 6f727473 2e636f6d 31323030 06092a86 4886f70d 01090216 2357696e 
    62617463 68526570 6f727473 2e57696e 62617463 68526570 6f727473 2e636f6d 
    30819f30 0d06092a 864886f7 0d010101 05000381 8d003081 89028181 00b2ea52 
    c5ce94f9 9951dbb5 cb047704 99cf28cd 3ecc6a14 a0d40145 a949c10b ebf01136 
    dd39c3cf e1a2a65d 1827bcd5 714e42d7 538f985a 0680e234 991eea3f e1d9f79a 
    bf5d335c 5be8e030 97619a29 13c65472 c086fe95 24dc235b cc97e78a 5fff0ee6 
    2aa243df 8bb86d3d cdc67f7b ff117508 9579a437 a1c9d5e2 f356296c 4f020301 
    0001300d 06092a86 4886f70d 01010405 00038181 0065bf38 96b746fc ae17255b 
    b00dbbe4 a83c655f b8f9dab4 e928d36f cfe65081 197d118b e9dae617 6ad22466 
    c3a3034b 6e0b16cd 6319ec24 261d0c35 d7696fc7 a0417b5d 9f9572a9 193962b2 
    fa3e92df fbc03118 6fce0046 9772d108 aa133ce8 a4b41281 8d42d609 f4e97b48 
    5d8db83f 56b13946 43b30f6c d5292881 6b5c7913 16
  quit
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
crypto isakmp policy 30
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
telnet timeout 5
ssh 10.0.40.0 255.255.255.0 inside
ssh 75.75.195.0255.255.255.240 outside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 10.0.7.251-10.0.7.254 inside
!
 
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_TrustPoint1 outside
webvpn
 enable outside
 svc image disk0:/anyconnect-win-2.2.0140-k9.pkg 1
 svc enable
 tunnel-group-list enable
group-policy SSLClientPolicy internal
group-policy SSLClientPolicy attributes
 dns-server value 10.106.4.31
 vpn-tunnel-protocol svc 
 default-domain value Confidential.local
 address-pools value SSLClientPool
group-policy WindyVpns internal
group-policy WindyVpns attributes
 vpn-tunnel-protocol IPSec 
username litia77 password encrypted== nt-encrypted privilege 0
username litia77 attributes
 service-type remote-access
username yankmydoodle password encrypted encrypted privilege 15
username WhatsUpDiggidy password encrypted == nt-encrypted privilege 0
username WhatsUpDiggidy attributes
 vpn-group-policy WindyVpns
 service-type remote-access
username GloriaEstaphan password encrypted == nt-encrypted privilege 0
username GloriaEstaphan attributes
 vpn-group-policy WindyVpns
 service-type remote-access
username CodeneTheBarbituate password encrypted encrypted
username CodeneTheBarbituate attributes
 service-type remote-access
username ManOfTheYear password encrypted encrypted privilege 0
username ManOfTheYear attributes
 service-type remote-access
tunnel-group 75.75.195.34 type ipsec-l2l
tunnel-group 75.75.195.34 ipsec-attributes
 pre-shared-key *
tunnel-group 75.75.195.215 type ipsec-l2l
tunnel-group 75.75.195.215 ipsec-attributes
 pre-shared-key *
tunnel-group WindyVpns type remote-access
tunnel-group WindyVpns general-attributes
 address-pool VpnPool
 default-group-policy WindyVpns
tunnel-group WindyVpns ipsec-attributes
 pre-shared-key *
tunnel-group SSLClientProfile type remote-access
tunnel-group SSLClientProfile general-attributes
 default-group-policy SSLClientPolicy
tunnel-group SSLClientProfile webvpn-attributes
 group-alias SSLVPNClient enable
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
!
service-policy global_policy global
prompt hostname context 
Cryptochecksum:71babe84a059c875e7e76ebba7c4e81e
: end

Open in new window

0
Guile777
Asked:
Guile777
1 Solution
 
harbor235Commented:


Why would you want to do that even if it is possible (it's not)? why not just configure another Vpn and anyconnect client VPNs to the remote location where 10.0.10.0/24 resides?

Clients can configure multiple VPN servers in the connect configs.

harbor235 ;}
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now