We have a cisco ASA running 8.6 code level. We currently have guest networks that we block access to internal LAN which means that users on these networks accessing internal resouces have to egress to internet and hairpin back into the network. This is only a problem where we have cisco ASA. I know ASAs do not like to allow traffic to exit an interface and come back in again on the same interface.
My question is how do we allow hairpining on this device. I tried to use same-security-traffic permit intra-interface command on the outside interface but this did not work.
Sounds to me like you are trying to achieve something that is not possible on the ASA or atleast doesnt happen in the way you describe.
I mean traffic cant come from some Guest interface then head out through the External interface and then again enter back through External interface and be forwarded to Internal interface.
Or have I understood something wrong?
I gather you want to allow something from Guest to Internal? If so, shouldnt you do this straight between Guest and Internal?
Hairpinning usually only involves a single interface on the ASA. The most usual situations are:
Can you clarify the situation a bit.
If you have the latter situation of the above where user and server are both in the same subnet behind the same ASA interface then you can use this format
object network SERVER-REAL
object network SERVER-MAPPED
object network LAN-NETWORK
nat (Internal,Internal) after-auto source dynamic LAN-NETWORK interface destination static SERVER-MAPPED SERVER-REAL
Thanks for reply
Our offices are broken up into several VLANs and one of which is the guest network which users access for BYOD and client access via wifi. The AP has a rule on it that blocks access to internal LAN. Problem is the rules are not that granular where you can allow access to the internal resources, at least in a secure manner. We have a couple of egress points on our network and this is not a problem where there are non cisco firewalls.
The traffic traverses wan and egresses via the cisco ASA through the inside interface and then out the outside interface. If destination traffic is for an inside resource it then tries to come back in the same interface at which point packets drop. I cannot give access to resouces via the AP becuase it will only allow all traffic or no traffic.
I guess it would be more like the second scenario you mention. Servers we want to access are on the internal LAN and DMZ behind ASA. However they are not on the same subnet.
Guest network is 10.3.10.0 /24 (rule on AP blocks acces to all internal resources but allows access to internet)
Inside interface of asa 10.3.0.3 /29
DMZ subnet 172.16.28.1
From guest we would like to be able to get to published resources on internal network. In your second scenario are saying to basically publish the resources on the inside interface as well?
To be honest I am still not quite sure how the setup is.
You say that you have an own Vlan for the Guest network and the AP can either block or allow all to the Internal network? What is stopping you from controlling the traffic on the ASA interface with specific rules?
When it comes to ASA, traffic can enter one interface and leave another or traffic can come in through one interface and leave through it. I dont think its possible for the traffic to enter one interface and leave through another interface and then again enter that same interface. I would imagine this would result in a drop with log message of IP Spoof.
I didnt quite get this part either
The traffic traverses wan and egresses via the cisco ASA through the inside interface and then out the outside interface. If destination traffic is for an inside resource it then tries to come back in the same interface at which point packets drop.
It might be possible that I have understood this wrong and at this point it would probably be a lot easier to look at the situation with a help of some picture or the actual configuration.
So the Guest wifi networks are not directly connected to the ASA. We have muliple offices connected via MPLS and have 2 egress points. One on the east coast and one on the west coast. Every office has a guest network which is a vlan on our MPLS network but the AP (meraki) themselves block access to the internal LAN. I suppose they have a rule that blocks acces to any private lan space. Once it passses the AP it rides our wan to its nearest egress which then exists out the ASA. We have a firewall on the west coast and one on the east coast both of which publish internal resouces. So traffic from guest networks would have to pass the inside interface and the outside interface and then come back in. Like i said only the ASA blocks this traffic. The firewall on the west coast does not block hairpining like this.
Sounds like what i want to do is not possible with the ASAs. So this must be a common problem with people using Meraki's and cisco ASAs.
It almost sounds like you have a routing loop going on.
In any case, to configure hairpinning on the ASA just add the command you mentioned in your post: same-security-traffic permit intra-interface
But you also need to make sure that the ACLs permit the traffic you want to allow through and that NAT is correctly configure (if this is relevant).
No routing loop as far as i can see.
Bottom line is how to we allow internal users to access published resouces on the ASA via outside interface. This means packets would have to traverse inside interface and then come back in the outside interface.
Where do I place this command? On the outside interface? Inside and outside?
I dont have a complete picture of what your trying to do, and honestly, I think through some other routing and security means we could probably come up with a better solution, however, that being said from what I understand it appears you are trying to hairpin.
If you are attempting to hairpin with an ASA you need to implement a Service-Policy to ignore the TCP state. This configuration is called a tcp-state-bypass.
set connection advanced-options tcp-state-bypass
set connection random-sequence-number disable
Also, be weary of your NAT configurations.
If you get a chance run a debug (CLI/ASDM, doesn't matter) and filter from the src traffic of node on the originating subnet.
Packet-Tracer is also a very powerful tool, if you under stand your traffic patterns through each interface please attempt to compile this output as well.
This guy explains it a little more elegantly but biscally it is the same thing i want to do except that i am doing this because my internal "guest networks" do not have access to lan.
I just need to figure out how to do this using 8.6 code. This is using old static nat commands.
I tried the intructions above and did not work.
To test i published a server using port 80 and then from a different subnet tried to get to the server using its natted public IP (hairpin) and could not get there. I also tried packet tracer and get green all the way down.
I will open tac case to see if they can help me. I will post results back here
Are you trying to access the public IP of the published servers? If so, I am assuming you are using a local DNS server?
If this is the case you would need to NAT traffic that is destined for the public IP of the server to the private IP on the inside network.
object service PORT