Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

Hairpin a VPN on a cisco ASA Firewall

Hi,

I have gotten a rather unusual request and wondering has anybody come across it before and if it is technically feasible?  We have a Cisco ASA Firewall that terminates remote access clients using an anyconnect ssl vpn on the outside interface.

There is a DMZ interface on this same firewall that Guest Wireless clients use as their default gateway and route out to the internet via the outside interface.

Is it possible for these Guest Wireless clients to build a remote access VPN to the outside interface of the same ASA?  (i.e. Nat the guest clients to an public ip in the same subnet as the outside interface and then come back in to the inside interface to access resources)

 

Cheers

 Brian

1 ACCEPTED SOLUTION

Accepted Solutions
New Member

Hi Brian, How about

Hi Brian,

 

How about configuring webvpn on the DMZ interface as well as on the Internet facing interface?

Was in the same situation a few years back. It was easier to just configure webvpn on the guest-dmz interface.

 

I'm pretty sure that the ASA is not able to forward a flow from a higher security-level interface to a lower security-level interface and back in. 

 

You might be thinking of the "same-security-level permit-intra-interface" command?

That one does allow you to "loop" a flow from one host to another connected to an Interface.

 

Cheers,

Søren Elleby Sørensen

5 REPLIES
New Member

Hi Brian, How about

Hi Brian,

 

How about configuring webvpn on the DMZ interface as well as on the Internet facing interface?

Was in the same situation a few years back. It was easier to just configure webvpn on the guest-dmz interface.

 

I'm pretty sure that the ASA is not able to forward a flow from a higher security-level interface to a lower security-level interface and back in. 

 

You might be thinking of the "same-security-level permit-intra-interface" command?

That one does allow you to "loop" a flow from one host to another connected to an Interface.

 

Cheers,

Søren Elleby Sørensen

New Member

I'm thinking the original

I'm thinking the original question was concern that someone on the guest wireless network might be able to bring up a VPN on the outside, which would give them access to inside resources. I've never tried it myself, but I don't believe it's possible to establish a VPN coming through the ASA to reach that interface. I believe only connections arriving at the ASA on the outside would be able to establish a tunnel. If you really felt strongly about it, you could always deny some protocols inbound on the DMZ interface to the outside IP address, and that shouldn't break anything that ought to work.

Even if they could establish that tunnel coming through the DMZ interface, hopefully your VPN authentication mechanisms would keep out anyone who wasn't authorized to use the VPN. If it's too easy to crack the VPN authentication, you've got bigger problems.

 

John

New Member

Hi John,Thanks for the reply,

Hi John,

Thanks for the reply, I was looking for a way to bring up the VPN from the Guest DMZ using the outside interface alright.  It was to support a few guest users that wanted to use the VPN for testing.

Cheers

Brian

New Member

Then I agree with Plan B. If

Then I agree with Plan B. If you're trying to allow internal access to a group of guest users, but not all guest users, then that's your best bet. 

New Member

Hi Soren,Thanks, that was

Hi Soren,

Thanks, that was going to be my Plan B alright :)

 

Cheers

Brian

230
Views
0
Helpful
5
Replies
CreatePlease to create content