I have an ASA5510 I want to place in my network for firewalling and VPN purposes. It is replacing the Cisco 2821 router using the VPN and firewall modules.
I would like to "hairpin" VPN users and restrict them to a subset of my outside IP addresses; i.e. they connect to the outside port on 64.244.xx.2 /25 (split tunneling is disabled), but to the outside world they then have an outside IP address of 64.244.xx.96-.126.
Is this possible and can I also allow them access into my internal network at the same time?
Or should I set up separate VPN groups; one that gets internal access and an internal IP or 192.168.252.0 /24, and one that is hairpinned out to the Internet using routeable IPs?
What is the best way to do this? I have been going through every option under the ASDM, but to no avail. I can provide my current config if needed.
Hairpinning is no problem, should be your solution. Assuming vpn client subnet pool is 192.168.100.0/24.
same-security-traffic permit intra-interface
global (outside) 10 64.244.xx.96-64.244.xx.126
nat (outside) 10 192.168.100.0 255.255.255.0
Then configure your vpn access to inside as usual.
access-list nat0 extended permit ip any 192.168.100.0 255.255.255.0
nat (inside) 0 access-list nat0
Also be sure to disable split tunnel.
Excellent. I will be configuring this tomorrow for all the employees. I'll give your recommendations a go. Sounds like a valid solution. Will let you know the outcome.
This link will help you with half of your configuration :)
Thanks much. I attempted to place the 5510 in front of my 2821 late this evening and had no luck getting any sort of Internet connection out. Something must be foobar with my new config. Was not even able to attempt a hairpin VPN connection as Internet connectivity was down.
Am attaching configs for both the 2821 and the 5510 along with my proposed changes.
Maybe someone can see what I was doing wrong.
That makes sense. I've been looking over both configs and that looks right.
I'll give it another shot tomorrow evening.
I am attaching a copy of the Visio diagram showing how I would like it to be.
Your comments are much appreciated. Thanks for the clarification.
Adding this route to the 5510 yields this error:
firewall(config)#route inside 192.168.252.0 255.255.255.0 172.17.10.2
ERROR: Cannot add route, connected route exists
All the routes appear to be good and I do not see what the issue can be.
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) esva.external esva.internal netmask 255.255.255.255
static (inside,outside) mediamail.external mediamail.internal netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 18.104.22.168 1
I also made some changes to my ASA5510 last night that I was hopeful would work.
Here is the current ASA5510 config with the proper routes and NAT'ing. Again, it's IP is 192.168.252.10 as the management IP.
Users were still NOT able to get out to the Internet.
I did a "sho ip routes" on both the 2821 and the 5510 when they were in-line and though they could talk to each other and the routing tables looked good, I could not get out on the Internet.
Here are the commands I issued to the 2821 after I placed the 5510 in-line.
no ip address 22.214.171.124 255.255.255.128
ip address 172.17.10.2 255.255.255.252
no ip route 0.0.0.0 0.0.0.0 126.96.36.199 name XO-ROUTER
ip route 0.0.0.0 0.0.0.0 172.17.10.1 name ASA5510
no ip nat source static 192.168.252.10 188.8.131.52
Fix your mask if it is /25.
description Outside interface
ip address 184.108.40.206 255.255.255.128
Second, your nat (inside) should reflect internal network you wish to nat, not the external vpn network.
global (outside) 1 interface
global (outside) 10 220.127.116.11-18.104.22.168
nat (inside) 1 0 0
nat (outside) 10 172.18.10.0 255.255.255.192
Dang. You're right....
I guess being the only person in the office who does Cisco is a distinct disadvantage. It helps to have some extra eyes take a look.
I'll make these changes and let you know how it goes.