Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Hairpinning Remote Access Connections

Greetings like many people we connect to our customers via either permanent vpn connectivity or via locking down management access to our external company ip address.

Is it possible to configure the ASA 5510 so that i can connect to it using the cisco vpn client from any location and then connect to customers network which are in turn locked down to only permit connections from our external network?

At present i am having to connect to one of our internal servers and use it as a jump of point to connect to customer networks when im off site.

Regards

13 REPLIES

Re: Hairpinning Remote Access Connections

include all needed networks in the split-tunneling ACL

New Member

Re: Hairpinning Remote Access Connections

Thank you for your reply, i have tried adding said networks to the split tunnel list but am unable to connect to the customer networks via there outside management address.

Regards

New Member

Re: Hairpinning Remote Access Connections

Yes, its possible.. I have alreay set up this for here but i want to know which FW is using by customer becoz I had make it on ASA which was installed on other location. Cheers

New Member

Re: Hairpinning Remote Access Connections

I am using an ASA 5510 with 8.0.3(19) code, customer sites use a mix of ASA's, 2800's, 3800's etc for edge connectivity.

Green

Re: Hairpinning Remote Access Connections

We'd have to see the config. Make sure you have something like...

same-security-traffic permit intra-interface

global (outside) 1 interface

nat (outside) 1

New Member

Re: Hairpinning Remote Access Connections

Cheers, i currently have the same-security-traffic permit intra-interface statement in place, please find the relevant config below.

!

interface Ethernet0/0

speed 100

duplex full

nameif outside

security-level 0

ip address ***.***.***.*** 255.255.255.240

!

interface Ethernet0/1

no nameif

no security-level

no ip address

!

interface Ethernet0/1.997

vlan 997

nameif demo

security-level 100

ip address 172.27.255.1 255.255.255.0

!

interface Ethernet0/1.998

vlan 998

nameif guest

security-level 25

ip address 172.30.255.1 255.255.255.0

!

interface Ethernet0/2

speed 100

duplex full

nameif access

security-level 100

ip address 172.29.255.1 255.255.255.0

!

interface Ethernet0/3

speed 100

duplex full

nameif voice

security-level 100

ip address 172.28.255.1 255.255.255.0

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.255.1 255.255.255.0

management-only

!

same-security-traffic permit inter-interface

access-list ITTelco_SpliTunnel remark ****** Split Tunnel Encrypted Traffic ******

access-list ITTelco_SpliTunnel standard permit 172.29.255.0 255.255.255.0

access-list exempt_nat0_outbound extended permit ip 172.24.0.0 255.248.0.0 172.24.0.0 255.248.0.0

mtu outside 1500

mtu demo 1500

mtu guest 1500

mtu access 1500

mtu voice 1500

mtu management 1500

ip verify reverse-path interface outside

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-60360.bin

asdm history enable

arp timeout 14400

nat-control

global (outside) 1 interface

global (outside) 2 guestoutbound

nat (demo) 0 access-list exempt_nat0_outbound

nat (guest) 2 172.30.255.0 255.255.255.0

nat (access) 0 access-list exempt_nat0_outbound

nat (access) 1 172.29.255.0 255.255.255.0

nat (voice) 0 access-list exempt_nat0_outbound

nat (voice) 1 172.28.255.0 255.255.255.0

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 ***.***.***.*** 1

route demo 172.26.255.0 255.255.255.0 172.27.255.2 1

!

policy-map type inspect im im_Block

parameters

match protocol msn-im yahoo-im

drop-connection log

policy-map global_policy

class inspection_default

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

inspect http

inspect icmp

inspect icmp error

inspect pptp

inspect ipsec-pass-thru

inspect im im_Block

policy-map serv-pol-outbound

class csc-scan-class

csc fail-open

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:xxx

: end

it-fw-5510#

Re: Hairpinning Remote Access Connections

access-list ITTelco_SpliTunnel standard permit 172.24.0.0 255.248.0.0

no access-list ITTelco_SpliTunnel standard permit 172.29.255.0 255.255.255.0

New Member

Re: Hairpinning Remote Access Connections

Thank you for your reply, the above allows me to connect to all networks inside the firewall but doesn't allow me to connect via the vpn client then back out to a customers external IP address as per the attached image.

Regards

Green

Re: Hairpinning Remote Access Connections

See my previous post. You have no "nat (outside)" command.

New Member

Re: Hairpinning Remote Access Connections

Ah apologies, i shall give that a go in the morning.

Thank you for your help so far

Re: Hairpinning Remote Access Connections

do as Adam Comiskey said

and in this case you should disable split tunneling.

New Member

Re: Hairpinning Remote Access Connections

Did anyone figure out how to do this, I am having same problem (need to be able to vpn in to office then make connections out to internet via the ip space of the remote office, for security reasons).

I am using a PIX501

Green

Re: Hairpinning Remote Access Connections

Can't be done with a pix 501 or any pix running version 6 code.

207
Views
4
Helpful
13
Replies
CreatePlease to create content