×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

RA IPSEC - enable hairpinning but restricting access to web

Answered Question
Nov 5th, 2013
User Badges:

ASA5520     8.2(5)30



Greetings,


I have an IPSEC RA policy that's set up to tunnel all traffic (no split-tunnel) through the ASA (terminates on the outside interface).  I need to be able to allow thesesame VPN users to access one web page (hairpinning) on the outside interface.


++++++++++++++++++++++++++++++


Here are the current settings:


group-policy L-Admins internal

group-policy L_Admins attributes

wins-server value 172.16.0.33 172.16.0.9

dns-server value 172.16.0.33 172.16.0.9

vpn-idle-timeout 60

vpn-session-timeout 480

vpn-filter value l-admin-filter


     access-list l-admin-test-filter extended permit ip 172.30.4.0 255.255.255.252 host 172.16.0.33

     access-list l-admin-test-filter extended permit ip 172.30.4.0 255.255.255.252 host 172.16.0.9

     access-list l-admin-test-filter extended permit ip 172.30.4.0 255.255.252.252 host 172.16.1.4

     access-list l-admin-test-filter extended permit ip 172.30.4.0 255.255.252.252 host 172.16.1.2

     access-list l-admin-test-filter extended permit ip 172.30.4.0 255.255.252.252 10.24.0.0 255.252.0.0

     access-list l-admin-test-filter extended permit ip 172.30.4.0 255.255.252.252 host 172.16.0.233




vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelall

default-domain value IHI.local



tunnel-group L_Admins type remote-access

tunnel-group L_Admins general-attributes

address-pool ili_global

authentication-server-group PhoneFactor

default-group-policy L_Admins

tunnel-group L_Admins ipsec-attributes

pre-shared-key *


++++++++++++++++++++++


Hairpinning is currently not enabled, so I assume I need to add:


same-security-traffic permit inter-interface


and (I assume)


ip local pool l_admins 172.30.4.1-172.30.4.2 mask 255.255.255.252

global (outside) 1 interface ***** PAT IP

nat (outside) 1 172.30.4.1-172.30.4.2 mask 255.255.255.252


But from here I don't know how to restrict access to a single external IP on the web over port 80.

Correct Answer by Jouni Forss about 3 years 9 months ago

Hi,


The correct command to enable traffic enter and leave the same interface is


same-security-traffic permit intra-interface


The command you posted allows traffic between 2 different interfaces which have the same "security-level" value


same-security-traffic permit inter-interface


With regards to the Dynamic PAT for Internet traffic


If you have this already


global (outside) 1 interface


Then you will need the "nat" command for the VPN pool


nat (outside) 1 172.30.4.0 255.255.255.252


With regards to controlling the traffic towards Internet, shouldnt you be able to simply add that destination server IP address to the VPN Filter ACL you already have in use? I mean the ACL named "l-admin-test-filter".


For example


access-list l-admin-test-filter remark Allow external server connection

access-list l-admin-test-filter permit tcp 172.30.4.0 255.255.255.252 host eq 80

access-list l-admin-test-filter permit tcp 172.30.4.0 255.255.255.252 host eq 443

access-list l-admin-test-filter permit tcp 172.30.4.0 255.255.255.252 host eq 8080


- Jouni

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Jouni Forss Tue, 11/05/2013 - 06:48
User Badges:
  • Super Bronze, 10000 points or more

Hi,


The correct command to enable traffic enter and leave the same interface is


same-security-traffic permit intra-interface


The command you posted allows traffic between 2 different interfaces which have the same "security-level" value


same-security-traffic permit inter-interface


With regards to the Dynamic PAT for Internet traffic


If you have this already


global (outside) 1 interface


Then you will need the "nat" command for the VPN pool


nat (outside) 1 172.30.4.0 255.255.255.252


With regards to controlling the traffic towards Internet, shouldnt you be able to simply add that destination server IP address to the VPN Filter ACL you already have in use? I mean the ACL named "l-admin-test-filter".


For example


access-list l-admin-test-filter remark Allow external server connection

access-list l-admin-test-filter permit tcp 172.30.4.0 255.255.255.252 host eq 80

access-list l-admin-test-filter permit tcp 172.30.4.0 255.255.255.252 host eq 443

access-list l-admin-test-filter permit tcp 172.30.4.0 255.255.255.252 host eq 8080


- Jouni

iholdings Tue, 11/05/2013 - 07:00
User Badges:

Hi Jouni,


Thanks so much for the prompt reply.  I will add the nat and acl statements and report back.


-Tom

iholdings Wed, 11/06/2013 - 08:05
User Badges:

Jouni-


Worked like a charm!!


Thanks fr your help

Jouni Forss Wed, 11/06/2013 - 08:07
User Badges:
  • Super Bronze, 10000 points or more

Hi,


Great to hear that its working as expected


- Jouni

Actions

This Discussion

Related Content