Hairpinning on ASA 5505

Answered Question
Sep 4th, 2008

I am doing VPN proof of concept testing on my ASA 5505 in preparation for migration to two other 5510s. I have set up two VPN groups; one that allows for split tunneling, but grants user access in the internal NAT'ed network and one that does hairpinning, forcing the user back out on the same interface using a viable IP address range.

The former is working just fine, but I am having problems getting the latter to work.

I can connect to any server on the internal network but cannot route back to the Internet. I am using an internal DNS server in the internal network and it can resolve IP addresses no problem.

I suspect I am missing something relatively minor. Can someone take a look at my 5505 config and let me know what is happening?

I have this set up within my work network, 192.168.252.0/24. The outside IP of the firewall is 192.168.252.76 (DHCP assigned) and the internal network behind the firewall is 192.168.1.0/24. The VPN IP address range is 192.168.2.0/26. I have a Linux test server sitting behind the firewall using 192.168.1.2, which I can access just fine using the split tunneling and the hairpin method. But after connecting to the firewall using hairpinning and NO split tunneling, all my other outside connections drop.

Thanks in advance.

I have this problem too.
0 votes
Correct Answer by acomiskey about 8 years 2 months ago

The vpn clients are considered to be sourced from whichever interface the vpn is terminating on. In your case, the outside interface. If you wanted to pat the vpn clients on the outside interface to 64.xx.xx.96 address.

global (outside) 2 64.xx.xx.96 255.255.255.224

nat (outside) 2 192.168.2.64 255.255.255.192

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (2 ratings)
Loading.
acomiskey Thu, 09/04/2008 - 18:55

You are missing a nat statement.

nat (outside) 1 192.168.2.64 255.255.255.192

kerryjcox Fri, 09/05/2008 - 09:44

Yep. I missed that. Once I put it in, I was able to hairpin no problem.

On a related note (and if I need to open another conversation I will), how can I assign users who are hairpinning back out a valid outside IP address?

For example, users connect from home to our outside IP address on the firewall/VPN. They hairpin back out and are given a new IP address from our /25 block of IPs.

So, rather than getting an IP from the 192.168.2.0 /24 subnet used by VPN users, can I assign all outgoing or hairpinned connections something from the 64.xx.xx.96 /27 subnet?

Thanks again.

acomiskey Fri, 09/05/2008 - 09:58

Is this what you're asking? Or do you want to change the vpn pool from 192.168.2.x to 66.xx.xx.x?

global (outside) 2 64.xx.xx.96 255.255.255.224

nat (outside) 2 192.168.2.64 255.255.255.192

Please rate helpful posts.

kerryjcox Fri, 09/05/2008 - 10:08

Based on what I read (and I could be wrong), the vpnpool is simply a different subnet of IP addresses assigned to VPN users, not intended for Internet routing. They do not use this IP address range for external connections.

I would like these VPN users to be assigned a valid, routeable IP address from my outside block.

I tried manually adding these outside IP addresses (64.xx.xx.96), but the firewall complains of overlap with the outside interface.

Am I misunderstanding this then?

acomiskey Fri, 09/05/2008 - 11:29

Typically, you assign the vpn clients a private pool. If they need to be routable you can nat them during the hairpin to those 64.x addresses.

kerryjcox Fri, 09/05/2008 - 11:50

Ahh... gotcha. That makes sense.

One last question, not certain how the GUI manages this as I am not certain whether to create the NAT rule on the inside, outside, dmz, or media interface.

It's easy enough when I have only two interfaces, outside and inside. What about the other interfaces? Is the vpnpool assigned to a specific interface?

Is there a simple CLI command to do this?

Much appreciated.

Correct Answer
acomiskey Fri, 09/05/2008 - 12:05

The vpn clients are considered to be sourced from whichever interface the vpn is terminating on. In your case, the outside interface. If you wanted to pat the vpn clients on the outside interface to 64.xx.xx.96 address.

global (outside) 2 64.xx.xx.96 255.255.255.224

nat (outside) 2 192.168.2.64 255.255.255.192

kerryjcox Fri, 09/05/2008 - 13:07

Much appreciated. That did the trick.

Was able to configure on both ASDM and CLI.

Very cool.

gacross Fri, 09/12/2008 - 05:41

Does anyone know if it is possible to do the hairpin on an IOS FW setup? If so what is the trick? There isn't an interface to put the "nat inside" on for the ipsec client. Thanks.

Actions

This Discussion