8.Cisco ASA Hairpin Remote VPN Users



The Cisco ASA firewall doesn’t like traffic that enters and exits the same interface. This behavior is typically known as “hairpin” or “u-turn”. Sometimes however we need our ASA to permit this kind of traffic. Here’s an example:

Cisco ASA Remote Access VPN Hairpin

Above we have an ASA firewall on the left side, there’s a remote VPN uses that connects to our firewall. This remote VPN user is not using split tunneling so all traffic is being tunneled to the ASA. Let’s say this user wants to reach some webserver (2.2.2.2) on the Internet behind R2.



Here’s what our traffic pattern will look like:

Cisco ASA Remote Access VPN Hairpin Traffic

Our traffic will enter the ASA on its outside Gigabit 0/0 interface and exits the same interface. By default, the ASA will drop this traffic. The second issue with this setup is that the source IP address will be from the 192.168.10.0/24 subnet. Since this is a private range, R2 will drop the traffic when it has to be routed to the Internet.

Let’s see what we have to do to fix this issue…

hostname R2
!
interface Loopback0
 ip address 2.2.2.2 255.255.255.255
!
interface GigabitEthernet0/1
 ip address 192.168.2.2 255.255.255.0
 duplex auto
 speed auto
 media-type rj45
!
ip http server
!
end
hostname ASA1
!
ip local pool VPN_POOL 192.168.10.100-192.168.10.200
!
interface GigabitEthernet0/0
 nameif OUTSIDE
 security-level 0
 ip address 192.168.2.254 255.255.255.0 
!
ftp mode passive
object network VPN_POOL
 subnet 192.168.10.0 255.255.255.0
!
route OUTSIDE 0.0.0.0 0.0.0.0 192.168.2.2 1
!
crypto ipsec ikev1 transform-set MY_TRANSFORM_SET esp-aes esp-sha-hmac 
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map MY_DYNA_MAP 10 set ikev1 transform-set MY_TRANSFORM_SET
crypto map MY_CRYPTO_MAP 10 ipsec-isakmp dynamic MY_DYNA_MAP
crypto map MY_CRYPTO_MAP interface OUTSIDE
crypto isakmp identity address 
crypto ikev1 enable OUTSIDE
crypto ikev1 policy 10
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400
!
group-policy VPN_POLICY internal
group-policy VPN_POLICY attributes
 vpn-idle-timeout 15
dynamic-access-policy-record DfltAccessPolicy
username VPN_USER password E5PbZWWQ.j3bJJHz encrypted
tunnel-group MY_TUNNEL type remote-access
tunnel-group MY_TUNNEL general-attributes
 address-pool VPN_POOL
 default-group-policy VPN_POLICY
tunnel-group MY_TUNNEL ipsec-attributes
 ikev1 pre-shared-key *****
!
class-map inspection_default
 match default-inspection-traffic
!
!             
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect ip-options 
  inspect netbios 
  inspect rtsp 
  inspect sunrpc 
  inspect tftp 
  inspect xdmcp 
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect esmtp 
  inspect sqlnet 
  inspect sip  
  inspect skinny  
  inspect icmp
policy-map type inspect dns migrated_dns_map_1
 parameters   
  message-length maximum client auto
  message-length maximum 512
!
service-policy global_policy global
!
: end

Let’s take a look at the configuration…

1.Configuration

There are two things we have to fix here:

  • We need to configure the ASA to permit traffic that enters and exits the same interface.
  • Traffic from the 192.168.10.0/24 subnet has to be NAT translated.

Before we make any changes, let’s try a ping from our remote VPN user:

C:\Users\H1>ping 2.2.2.2

Pinging 2.2.2.2 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 2.2.2.2:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

As expected these pings are failing. Let’s configure the ASA to permit traffic that enters and exits the same interface:

ASA1(config)# same-security-traffic permit intra-interface

The command above will allow the traffic to be routed. The second thing to do is to configure a NAT rule:

ASA1(config)# nat (OUTSIDE,OUTSIDE) source dynamic VPN_POOL interface

The line above will translate traffic from our network object called VPN_POOL (which matches the 192.168.10.0/24 subnet) when it enters and exits the OUTSIDE interface. It will be translated to the IP address on the outside interface of our ASA.

That’s all we have to configure, let’s verify our work!

2.Verification

Let’s start with a simple ping from the remote VPN user:

C:\Users\H1>ping 2.2.2.2

Pinging 2.2.2.2 with 32 bytes of data:
Reply from 2.2.2.2: bytes=32 time=498ms TTL=255
Reply from 2.2.2.2: bytes=32 time=14ms TTL=255
Reply from 2.2.2.2: bytes=32 time=14ms TTL=255
Reply from 2.2.2.2: bytes=32 time=268ms TTL=255

Ping statistics for 2.2.2.2:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 14ms, Maximum = 498ms, Average = 198ms

These pings are now successful. We can also verify our work on the ASA:

ASA1# show xlate 
4 in use, 5 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
       s - static, T - twice, N - net-to-net
NAT from INSIDE:192.168.1.0/24 to OUTSIDE:192.168.1.0/24
    flags sIT idle 0:10:21 timeout 0:00:00
NAT from OUTSIDE:192.168.10.0/24 to INSIDE:192.168.10.0/24
    flags sIT idle 0:10:21 timeout 0:00:00
NAT from OUTSIDE:0.0.0.0/0 to OUTSIDE:0.0.0.0/0
    flags sIT idle 0:04:54 timeout 0:00:00

ICMP PAT from OUTSIDE:192.168.10.100/1 to OUTSIDE:192.168.2.254/1 flags ri idle 0:00:00 timeout 0:00:30

Above you can see the IP address of the remote VPN user (192.168.10.100) has been translated to the IP address on the outside interface of our ASA (192.168.2.254).

hostname R2
!
interface Loopback0
 ip address 2.2.2.2 255.255.255.255
!
interface GigabitEthernet0/1
 ip address 192.168.2.2 255.255.255.0
 duplex auto
 speed auto
 media-type rj45
!
ip http server
!
end
hostname ASA1
!
ip local pool VPN_POOL 192.168.10.100-192.168.10.200
!
interface GigabitEthernet0/0
 nameif OUTSIDE
 security-level 0
 ip address 192.168.2.254 255.255.255.0
!
ftp mode passive
same-security-traffic permit intra-interface
object network VPN_POOL
 subnet 192.168.10.0 255.255.255.0
!
nat (OUTSIDE,OUTSIDE) source dynamic VPN_POOL interface
!
route OUTSIDE 0.0.0.0 0.0.0.0 192.168.2.2 1
!
crypto ipsec ikev1 transform-set MY_TRANSFORM_SET esp-aes esp-sha-hmac 
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map MY_DYNA_MAP 10 set ikev1 transform-set MY_TRANSFORM_SET
crypto map MY_CRYPTO_MAP 10 ipsec-isakmp dynamic MY_DYNA_MAP
crypto map MY_CRYPTO_MAP interface OUTSIDE
crypto isakmp identity address 
crypto ikev1 enable OUTSIDE
crypto ikev1 policy 10
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400
!
group-policy VPN_POLICY internal
group-policy VPN_POLICY attributes
 vpn-idle-timeout 15
dynamic-access-policy-record DfltAccessPolicy
username VPN_USER password E5PbZWWQ.j3bJJHz encrypted
tunnel-group MY_TUNNEL type remote-access
tunnel-group MY_TUNNEL general-attributes
 address-pool VPN_POOL
 default-group-policy VPN_POLICY
tunnel-group MY_TUNNEL ipsec-attributes
 ikev1 pre-shared-key *****
!
class-map inspection_default
 match default-inspection-traffic
!
!             
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect ip-options 
  inspect netbios 
  inspect rtsp 
  inspect sunrpc 
  inspect tftp 
  inspect xdmcp 
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect esmtp 
  inspect sqlnet 
  inspect sip  
  inspect skinny  
  inspect icmp
policy-map type inspect dns migrated_dns_map_1
 parameters   
  message-length maximum client auto
  message-length maximum 512
!
service-policy global_policy global
!
: end

3.Conclusion

Hairpinning on the ASA isn’t very difficult. Once you understand why your firewall is dropping, it’s easily fixed with a few commands. If you have any questions, feel free to leave a comment.

Hairpinning on the ASA isn’t very difficult. Once you understand why your firewall is dropping, it’s easily fixed with a few commands. If you have any questions, feel free to leave a comment.

Comments

Post a Comment

Popular posts from this blog

Cisco ASA Packet Drop Troubleshooting

Image
As a firewall, the Cisco ASA drops packets. That’s great until it drops packets that you want to permit, and you have no idea what is going on. Fortunately, the ASA supports different tools to show you why and what packets it drops. In this lesson, we’ll cover the following tools: Connection State Interface Drops Syslog ASP Drops Packet Capture Packet Tracer Service Policy Conclusion Here is the topology I use: We use a simple topology: Two “host” devices: These are routers with ip routing disabled, and they use ASA1 as their default gateway. An HTTP server is enabled on both devices. ASA1 runs ASAv Version 9.9(2) and has two interfaces: INSIDE: security level 100 OUTSIDE: security level 0 In this topology, H1 will be able to initiate a connection to H2. H2 won’t be able to initiate a connection to H1 because we go from a  low-security level (0) to a high-security level (100) . Configurations ASA1 H1 H2 hostname ASA1 ! interface GigabitEthernet0/0 nameif INSIDE security-level 100...
Read more

show asp drop Command Usage

The  show asp drop  command shows the packets or connections dropped by the accelerated security path, which might help you troubleshoot a problem. See the general operations configuration guide for more information about the accelerated security path. This information is used for debugging purposes only, and the information output is subject to change. Consult Cisco TAC to help you debug your system with this command. The following sections include each drop reason name and description, including recommendations: rame Drop Reasons   ---------------------------------------------------------------- Name: natt-keepalive NAT-T keepalive message: This counter will increment when the appliance receives an IPSec NAT-T keepalive message. NAT-T keepalive messages are sent from the IPSec peer to the appliance to keep NAT/PAT flow information current in network devices between the NAT-T IPSec peer and the appliance.   Recommendation: If you have configured IPSec NAT-T on your ...
Read more

1.Cisco ASA Clock Configuration

The Cisco ASA firewall has a battery on the motherboard that saves the clock settings. Even when it’s is powered off, the clock will be stored. There are two important reasons why you want to make sure that your ASA has the correct date/time: In case of a security breach you want to track log files for events. With an incorrect timestamp, your log files are useless. PKI (Public Key Infrastructure) that we use for digital certificates to authenticate remote users (IPSEC or SSL VPN) requires the correct date/time. The most simple method is to configure the date/time manually, you can do it like this: ASA1(config)# clock set 13:15:00 Dec 19 2014 Just use the  clock set  command and enter the correct time/date. You can verify it like this: ASA1# show clock 13:15:15.709 UTC Fri Dec 19 2014 As you can see, the default timezone is UTC. If you are in another timezone like me then you have to change this: ASA1(config)# clock timezone CET +1 Use the  clock timezone  command t...
Read more