Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA5510 with VPN and hairpinning

I have an ASA5510 I want to place in my network for firewalling and VPN purposes. It is replacing the Cisco 2821 router using the VPN and firewall modules.

I would like to "hairpin" VPN users and restrict them to a subset of my outside IP addresses; i.e. they connect to the outside port on 64.244.xx.2 /25 (split tunneling is disabled), but to the outside world they then have an outside IP address of 64.244.xx.96-.126.

Is this possible and can I also allow them access into my internal network at the same time?

Or should I set up separate VPN groups; one that gets internal access and an internal IP or 192.168.252.0 /24, and one that is hairpinned out to the Internet using routeable IPs?

What is the best way to do this? I have been going through every option under the ASDM, but to no avail. I can provide my current config if needed.

Thanks.

13 REPLIES
Green

Re: ASA5510 with VPN and hairpinning

Hairpinning is no problem, should be your solution. Assuming vpn client subnet pool is 192.168.100.0/24.

same-security-traffic permit intra-interface

global (outside) 10 64.244.xx.96-64.244.xx.126

nat (outside) 10 192.168.100.0 255.255.255.0

Then configure your vpn access to inside as usual.

access-list nat0 extended permit ip any 192.168.100.0 255.255.255.0

nat (inside) 0 access-list nat0

Also be sure to disable split tunnel.

New Member

Re: ASA5510 with VPN and hairpinning

Excellent. I will be configuring this tomorrow for all the employees. I'll give your recommendations a go. Sounds like a valid solution. Will let you know the outcome.

Much appreciated.

Re: ASA5510 with VPN and hairpinning

This link will help you with half of your configuration :)

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00805734ae.shtml

Regards

Farrukh

New Member

Re: ASA5510 with VPN and hairpinning

Thanks much. I attempted to place the 5510 in front of my 2821 late this evening and had no luck getting any sort of Internet connection out. Something must be foobar with my new config. Was not even able to attempt a hairpin VPN connection as Internet connectivity was down.

Am attaching configs for both the 2821 and the 5510 along with my proposed changes.

Maybe someone can see what I was doing wrong.

Green

Re: ASA5510 with VPN and hairpinning

I think you're missing a route on your 5510.

route inside 192.168.252.0 255.255.255.0 172.17.10.2

New Member

Re: ASA5510 with VPN and hairpinning

That makes sense. I've been looking over both configs and that looks right.

I'll give it another shot tomorrow evening.

I am attaching a copy of the Visio diagram showing how I would like it to be.

Your comments are much appreciated. Thanks for the clarification.

Green

Re: ASA5510 with VPN and hairpinning

You also are missing something like this...

global (outside) 1 interface

nat (inside) 1 0 0

New Member

Re: ASA5510 with VPN and hairpinning

Adding this route to the 5510 yields this error:

firewall(config)#route inside 192.168.252.0 255.255.255.0 172.17.10.2

ERROR: Cannot add route, connected route exists

All the routes appear to be good and I do not see what the issue can be.

nat-control

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) esva.external esva.internal netmask 255.255.255.255

static (inside,outside) mediamail.external mediamail.internal netmask 255.255.255.255

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 64.244.87.1 1

Thanks.

Green

Re: ASA5510 with VPN and hairpinning

Could you post your visio as a jpeg?

New Member

Re: ASA5510 with VPN and hairpinning

Sure thing. I am including a .png and a .jpg.

New Member

Re: ASA5510 with VPN and hairpinning

I also made some changes to my ASA5510 last night that I was hopeful would work.

Here is the current ASA5510 config with the proper routes and NAT'ing. Again, it's IP is 192.168.252.10 as the management IP.

Users were still NOT able to get out to the Internet.

I did a "sho ip routes" on both the 2821 and the 5510 when they were in-line and though they could talk to each other and the routing tables looked good, I could not get out on the Internet.

Here are the commands I issued to the 2821 after I placed the 5510 in-line.

conf t

interface GigabitEthernet0/0

no ip address 64.244.87.2 255.255.255.128

ip address 172.17.10.2 255.255.255.252

no ip route 0.0.0.0 0.0.0.0 64.244.87.1 name XO-ROUTER

ip route 0.0.0.0 0.0.0.0 172.17.10.1 name ASA5510

no ip nat source static 192.168.252.10 64.244.87.10

Green

Re: ASA5510 with VPN and hairpinning

Fix your mask if it is /25.

interface Ethernet0/0

description Outside interface

nameif outside

security-level 0

ip address 64.244.87.2 255.255.255.128

Second, your nat (inside) should reflect internal network you wish to nat, not the external vpn network.

global (outside) 1 interface

global (outside) 10 64.244.87.96-64.244.87.126

nat (inside) 1 0 0

nat (outside) 10 172.18.10.0 255.255.255.192

New Member

Re: ASA5510 with VPN and hairpinning

Dang. You're right....

I guess being the only person in the office who does Cisco is a distinct disadvantage. It helps to have some extra eyes take a look.

I'll make these changes and let you know how it goes.

Thanks much.

561
Views
5
Helpful
13
Replies