Solved

hairpinning on an outside interface

Posted on 2013-12-19
7
22 Views
Last Modified: 2016-01-04
Hello,
Without getting in to all of the gory details of the network set up and the reasons behind it all, I need to configure hairpinning between 2 Cisco ASA's running 8.4(3) at different locations. I've found several config examples but for all of them, it's site-to-site VPN's working with VPN clients and the clients needing access to that spoke, remote network. My setup is for outside requests to what we'll call the main site, 10.0.1.1. If a person makes a http or https request to my main site, the ASA there and the hairpinning configurations will recognize the request, and forward the packet on to 20.0.2.2, my 2nd site, and that ASA is accepting (already set up and working) http and https requests from anywhere.

Like I mentioned, I've found numerous examples of doing hair pinning between site to site VPNs and VPN clients, all inside authenticated connections, but this one has a different configuration of course. I'm not caring if anyone is authenticated. I'm not caring who you are (unless you are trying to break in!)

Does anyone have anything like this in use, or know where I can find a configuration example to go forward with?

Here's a configuration example I was trying.

same-security-traffic permit intra-interface
object network obj_10.0.1.1
 subnet 10.0.1.1 255.255.255.255
object network obj_10.0.2.2
 subnet 10.0.2.2 255.255.255.255
source static OBJ-10.0.1.1 OBJ-10.0.1.1 destination static OBJ-10.0.2.2 OBJ-10.0.2.2

I've also found to add a an ACL from config examples to allow http and https to not get dropped at the main site.

I do appreciate any help. Thank you.

Couple links I've been working from to get this working.

http://www.cisco.com/en/US/customer/docs/security/asa/asa91/configuration/firewall/nat_overview.html

http://networkswoot.blogspot.com/2012/11/cisco-asa-how-to-allow-client-vpn.html

http://www.petenetlive.com/KB/Article/0000040.htm
0
Comment
Question by:discmakers
  • 3
  • 2
7 Comments
 
LVL 13

Expert Comment

by:Quori
ID: 39731119
Before I go down the route of trying to fix this via destination NAT, have you considered just using 301 redirects to achieve this in a cleaner way? It would require a web server at the first site.
0
 

Author Comment

by:discmakers
ID: 39731592
This is if the main server is down hard. We have a duplicate web server running, where all data is sync'd at the 2nd site. If the main server is off, hair pinning via ASA will redirect to my 2nd location.
0
 
LVL 13

Expert Comment

by:Quori
ID: 39732595
I presume you know it won't be automatic failover and you'll need to put the NAT config in each time you want it active?
0
 

Author Comment

by:discmakers
ID: 39733095
I do, and that's fine. It's a 3 min fix instead of waiting potentially for hours for DNS to propagate.
0
 

Accepted Solution

by:
discmakers earned 0 total points
ID: 39765483
I got this to work with help from a Cisco TAC (Thank you Alejandro!)

The biggest problem that had to be changed is the original NAT I wrote out had a wrong object set up in the beginning of the statement. Changing to "source static obj_any" from of "source static obj-10.0.1.1" was the biggest thing it was stumbling over. I put in the config changes needed below, for both sides and traffic processes. Also, making sure I had ACL's in the main site ASA to allow traffic to proceed through to the 2nd site IP address (see the ACL right below) is important too or it gets blocked right there. The 2nd site ASA didn't need any changes from when I first put this together. As long as public traffic was allowed to proceed through this ASA to the web server, all was good there.

Main site ASA config additions needed:

object network obj_10.0.1.1
subnet 10.0.1.1 255.255.255.255
object network obj_10.0.2.2
subnet 10.0.2.2 255.255.255.255

access-list outside_access_in extended permit tcp any object obj_10.0.2.2 eq www
access-list outside_access_in extended permit tcp any object obj_10.0.2.2 eq https

nat (outside,outside) source static obj_any obj_10.0.1.1 destination static obj_10.0.1.1 obj_10.0.2.2

2nd site ASA config additions needed:

object network 192.168.1.1
host 192.168.1.1
object network 10.0.2.2
host 10.0.2.2

access-list outside_access_in extended permit tcp any object 192.168.1.1 eq www
access-list outside_access_in extended permit tcp any object 192.168.1.1 eq https

nat (inside,outside) source static 192.168.1.1 10.0.2.2
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now