Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Hairpinning Configuration

We have the need to utilize our external ip addresses when vpn'ing to our clients so we can stay connected to our phone system.  Can someone take a look at my config and let me know what I'm missing?  The servers that need to be accessed by their external ip are xxx.xxx.211.218 219 and 204.

Thanks

pti-net-fw-a# sh run
: Saved
:
ASA Version 8.2(2)
!
hostname pti-net-fw-a
enable password lMXWWssHXmnvjyuH encrypted
passwd plfUJ6bAVZDtbAU7 encrypted
no names
name 10.175.0.12 pti-p-monitor-b
name 10.175.0.27 exchange
name 10.175.0.21 webserver
name 10.175.0.249 lpt-jmartin
name 10.175.0.41 pti-p-monit-b
name 10.175.0.250 classrrom_server
name 10.175.0.245 pti-v-isprit-a
name 10.175.0.38 time.xxxxxxxx.com
name 10.175.0.51 NS1
name 10.175.0.52 NS2
name 10.175.0.22 pti-v-app-a
name 10.175.0.37 share.xxxxxxxx.com
name 10.175.0.55 RADIUS
name 10.175.0.40 mmoss
name 10.175.0.19 jabber
dns-guard
!
interface Ethernet0/0
description To_Outside_Internet
nameif outside
security-level 0
ip address xxx.xxx.211.2 255.255.255.0
!
interface Ethernet0/1
description To_InsidePTI_Network
no nameif
security-level 100
no ip address
!
interface Ethernet0/1.10
vlan 10
nameif vlan10
security-level 100
ip address 10.172.0.2 255.255.0.0
!
interface Ethernet0/1.11
vlan 11
nameif vlan11
security-level 100
ip address 10.175.0.2 255.255.0.0
!
interface Ethernet0/1.11
vlan 11
nameif vlan11
security-level 100
ip address 10.175.0.2 255.255.0.0
!
interface Ethernet0/1.12
vlan 12
nameif vlan12
security-level 100
ip address 10.177.0.2 255.255.255.0
!
interface Ethernet0/1.15
vlan 15
nameif vlan15
security-level 100
ip address 10.181.0.2 255.255.255.0
!
interface Ethernet0/1.16
vlan 16
nameif vlan16
security-level 100
ip address 10.183.0.2 255.255.255.0
!
interface Ethernet0/1.17
vlan 17
nameif vlan17
security-level 100
ip address 10.185.0.2 255.255.255.0
!
interface Ethernet0/1.18
vlan 18
nameif vlan18
security-level 100
ip address 10.187.0.2 255.255.255.0
!
interface Ethernet0/1.19
vlan 19
nameif vlan19
security-level 100
ip address 10.189.0.2 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
management-only
!
boot system disk0:/asa822-k8.bin
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service DM_INLINE_TCP_1 tcp
port-object eq https
port-object eq smtp
port-object eq 587
port-object eq 993
port-object eq www
port-object eq 995
access-list oustide_access_in extended permit tcp any host xxx.xxx.211.5 eq 8483
access-list oustide_access_in extended permit udp any host xxx.xxx.211.19 eq domain
access-list inside_nat0_outbound extended permit ip 10.177.0.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list PAT-VLAN-10 extended permit ip 10.172.0.0 255.255.0.0 any
access-list PAT-VLAN-11 extended permit ip 10.175.0.0 255.255.0.0 any
access-list PAT-VLAN-12 extended permit ip 10.177.0.0 255.255.255.0 any
access-list PAT-VLAN-19 extended permit ip 10.189.0.0 255.255.255.0 any
access-list outside_access_in extended permit tcp any host xxx.xxx.211.3 object-group DM_INLINE_TCP_1
access-list outside_access_in extended permit tcp any host xxx.xxx.211.13 eq ssh
access-list outside_access_in extended permit tcp any host xxx.xxx.211.4 eq ftp
access-list outside_access_in extended permit tcp any host xxx.xxx.211.4 eq www
access-list outside_access_in extended permit tcp any host xxx.xxx.211.4 eq https
access-list outside_access_in extended permit tcp any host xxx.xxx.211.5 eq 5222
access-list outside_access_in extended permit tcp any host xxx.xxx.211.5 range 3478 3479
access-list outside_access_in extended permit tcp any host xxx.xxx.211.19 eq domain
access-list outside_access_in extended permit tcp any host xxx.xxx.211.18 eq domain
access-list outside_access_in extended permit tcp any host xxx.xxx.211.9 eq www
access-list outside_access_in extended permit tcp any host xxx.xxx.211.10 eq 162
access-list outside_access_in extended permit tcp any host xxx.xxx.211.10 eq 161
access-list outside_access_in extended permit tcp any host xxx.xxx.211.6 eq www
access-list outside_access_in extended permit tcp any host xxx.xxx.211.6 eq https
access-list outside_access_in extended permit tcp any host xxx.xxx.211.15 eq https
access-list outside_access_in extended permit icmp any any echo
access-list outside_access_in extended permit udp any host xxx.xxx.211.18 eq domain
access-list outside_access_in extended permit tcp any host xxx.xxx.211.16 eq https
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit icmp any any source-quench
access-list outside_access_in extended permit icmp any any unreachable
access-list outside_access_in extended permit icmp any any time-exceeded
access-list outside_access_in extended permit tcp any host xxx.xxx.211.25 eq 7702
access-list outside_access_in extended permit tcp any host xxx.xxx.211.8 eq https
access-list outside_access_in extended permit tcp any host xxx.xxx.211.16 eq www
access-list outside_access_in extended permit tcp any host xxx.xxx.211.14 eq 82
access-list outside_access_in extended permit tcp any host xxx.xxx.211.30 eq 3389
access-list TEST_VPN extended permit ip 10.177.0.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list PTI_VPN_splitTunnelAcl standard permit 10.175.0.0 255.255.0.0
access-list vlan11_nat0_outbound extended permit ip 10.175.0.0 255.255.0.0 172.30.110.0 255.255.255.128
access-list vlan11_nat0_outbound extended permit ip any 10.177.0.0 255.255.255.0
access-list vlan12_nat0_outbound extended permit ip any 10.175.0.0 255.255.0.0
access-list vlan15_nat0_outbound extended permit ip any 10.181.0.0 255.255.255.0
access-list vlan16_nat0_outbound extended permit ip any 10.183.0.0 255.255.255.0
access-list vlan17_nat0_outbound extended permit ip any 10.185.0.0 255.255.255.0
access-list vlan18_nat0_outbound extended permit ip any 10.187.0.0 255.255.255.0
access-list vlan19_nat0_outbound extended permit ip any 10.189.0.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu vlan10 1500
mtu vlan11 1500
mtu vlan12 1500
mtu vlan15 1500
mtu vlan16 1500
mtu vlan17 1500
mtu vlan18 1500
mtu vlan19 1500
ip local pool xxxxxxxx_POOL 172.30.110.10-172.30.110.100 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
asdm image disk0:/asdm-625-53.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (vlan10) 1 10.172.0.0 255.255.0.0
nat (vlan11) 0 access-list vlan11_nat0_outbound
nat (vlan11) 1 10.175.0.0 255.255.0.0
nat (vlan12) 0 access-list vlan12_nat0_outbound
nat (vlan12) 1 10.177.0.0 255.255.255.0
nat (vlan15) 0 access-list vlan15_nat0_outbound
nat (vlan16) 0 access-list vlan16_nat0_outbound
nat (vlan17) 0 access-list vlan17_nat0_outbound
nat (vlan18) 0 access-list vlan18_nat0_outbound
nat (vlan19) 0 access-list vlan19_nat0_outbound
static (vlan11,outside) tcp xxx.xxx.211.25 7702 10.175.0.54 3389 netmask 255.255.255.255
static (vlan11,outside) xxx.xxx.211.3 10.175.0.27 netmask 255.255.255.255
static (vlan11,outside) xxx.xxx.211.4 10.175.0.21 netmask 255.255.255.255
static (vlan11,outside) xxx.xxx.211.6 10.175.0.22 netmask 255.255.255.255
static (vlan11,outside) xxx.xxx.211.10 10.175.0.12 netmask 255.255.255.255
static (vlan11,outside) xxx.xxx.211.11 10.175.0.249 netmask 255.255.255.255
static (vlan11,outside) xxx.xxx.211.13 10.175.0.250 netmask 255.255.255.255
static (vlan11,outside) xxx.xxx.211.15 10.175.0.245 netmask 255.255.255.255
static (vlan11,outside) xxx.xxx.211.16 10.175.0.38 netmask 255.255.255.255
static (vlan11,outside) xxx.xxx.211.18 10.175.0.51 netmask 255.255.255.255 dns
static (vlan11,outside) xxx.xxx.211.19 10.175.0.52 netmask 255.255.255.255 dns
static (vlan11,outside) xxx.xxx.211.8 10.175.0.40 netmask 255.255.255.255
static (vlan11,outside) xxx.xxx.211.5 10.175.0.19 netmask 255.255.255.255
static (vlan11,outside) xxx.xxx.211.14 10.175.0.41 netmask 255.255.255.255
static (vlan11,outside) xxx.xxx.211.30 10.175.0.53 netmask 255.255.255.255
static (vlan11,vlan11) xxx.xxx.211.18 10.175.0.51 netmask 255.255.255.255
static (vlan11,vlan11) xxx.xxx.211.19 10.175.0.52 netmask 255.255.255.255
static (vlan11,vlan11) xxx.xxx.211.4 10.175.0.53 netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 xxx.xxx.211.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server PTI_REMOTE protocol radius
aaa-server PTI_REMOTE (vlan11) host 10.175.0.55
timeout 5
key *****
authentication-port 1812
accounting-port 1813
radius-common-pw *****
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 outside
http 0.0.0.0 0.0.0.0 vlan12
http 0.0.0.0 0.0.0.0 vlan11
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 vlan10
ssh 0.0.0.0 0.0.0.0 vlan11
ssh 0.0.0.0 0.0.0.0 vlan12
ssh timeout 60
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
anyconnect-essentials
group-policy PTI_VPN internal
group-policy PTI_VPN attributes
dns-server value 10.175.0.55 10.175.0.56
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value PTI_VPN_splitTunnelAcl
default-domain value xxxxxxxx.local
username ptiadmin password BtOLil2gR0VaUjfX encrypted privilege 15
username admin password bjxuZM3wIpMVdTtH encrypted
username mtgadmin password QJuoApOKsrKhFioW encrypted
tunnel-group PTI_VPN type remote-access
tunnel-group PTI_VPN general-attributes
address-pool xxxxxxxx_POOL
authentication-server-group PTI_REMOTE
default-group-policy PTI_VPN
tunnel-group PTI_VPN ipsec-attributes
pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect pptp
!
prompt hostname context
call-home
profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:3b74b32f26e37537febbfd0d49660f6e
: end
pti-net-fw-a#

7 REPLIES

Re: Hairpinning Configuration

Hi,

Let's see if I understand...

You need to connect to the ASA with the VPN client and access the internal servers using their public IP addresses?

If so, you just need to NOT have a nat0 statement for the VPN traffic, so that you will access the actual NATed public address. Is this what you need?

Federico.

New Member

Re: Hairpinning Configuration

Federico,

Actually, when we VPN into some client networks, we are reach our internal systems. This is most likely due to the customer firewall and split-tunnelling, but we would then need to utilize our external IP/hostnames.  For instance, when I connect to customer A's VPN, I can no longer access the internal hostname/ip of our SIP server.  I would then like to connect to it via the external hostname/IP.

Thanks,

Jason

Re: Hairpinning Configuration

What happens is the following:


When you connect with your VPN client, the VPN client will bypass NAT and will reach the servers with the internal IP.
If you want for example to reach the servers that reside on vlan11 (10.175.0.0/16) with their public IPs,
then you must remove these lines:

nat (vlan11) 0 access-list vlan11_nat0_outbound
access-list vlan11_nat0_outbound extended permit ip 10.175.0.0 255.255.0.0 172.30.110.0 255.255.255.128

The above lines are taking precedence over the static NAT for the servers.
So, the VPN clients will always have access through the VPN to the internal IPs.

Federico.

New Member

Re: Hairpinning Configuration

We are still unable to ping our external IP addresses from the local LAN regardless of vpn.  Can you verify my hairpin configuration is correct?  I followed the guide from Cisco.

Thanks

Re: Hairpinning Configuration

Let's see if I understand correctly...


You can access from the Internet these servers xxx.xxx.211.218 219 and 204.
Now, you want to be able to access them via the same IP addresses when connected via VPN correct?

What do you mean with this:

We are still unable to ping our external IP addresses from the local LAN regardless of vpn

Are you trying to PING those public IPs from the LANs inside the ASA?

Federico.

New Member

Re: Hairpinning Configuration

Correct. We can leave VPN out of the scenario for now.  Some of our applications require the ability to ping the external IP from our inside.  The IP's that we really need to ping are .18 and .19.

Thanks!

Re: Hairpinning Configuration

There's a problem with that....

Since the ASA has a STATIC NAT rule for those servers, that means that while you're on the inside LAN, you're going to see the inside IP.

As well, if you're on the outside (form the ASA perspective), you will see the outside IP.

So, you can't really see from the inside the public IP or vice versa.

Theorically, if you do a STATIC:

static (outside,inside) public_IP public_IP

Then, you can see the public IP from the inside LAN.

Federico.

614
Views
0
Helpful
7
Replies
CreatePlease to create content