On our ASA we have a dedicated interface for guest users. The SSL VPN for accessing the inside network works fine from hosts located outside. Is it possible to VPN back in from the guest network? The guests are translated to a specific public outside address (not to the address configured on the outside interface of the ASA, but from the same public subnet).
Please correct me if I'm wrong, I would say hairpinning (u-turn) when traffic enters and exits same interface, not the contrary.
Well it's not a precisely defined term but more of an analogy as the "hairpin" refers to a visual representation of the path taken - flipping the direction at a device with the reverse path being a mirror image of the incoming path at the device where the direction changes.
I wanted to share that with you because thinking about if a packet leaves the interface it would reach the other end interface or another interface before being able to entering back the interface which it left, and that would be a normal flow, but if you think about it the other way, when a packet enter the interface and exit it soon it would not be necessary to reach any other interfaces before exiting out the interface on which it arrived.
Okay thanks for your explanations. When I try to connect to the outside interface from the guest network (DNS resolutions points to the public address) the connection is dropped. For testing purpose I configured an ip any any ACL on the outside interface without success. Do I have to configure anything else? As I said before from the outside anything works fine (incl. hairpinning from vpn clients to other S2S tunnels).
Security level of the outside interface is 100 and the level of the guest interface is 50. No ACL on guest interface which is denying incoming traffic.
First of all please consider that putting the outside interface in 100 security level is not recommended and would cause serious security concerns, it should be in 0 security level since it is connected to the untrusted side, but may be you are oing that only in lab. By default traffic flow from a lower security level to a higher security level is blocked, you should permit that traffic on the guest network interface (lower security level) in inbound direction not on the outside interface, because as mentioned before, in your case the traffic flow from outside interface (higher security level) would be allowed to pass to the lower security level interfaces (guest network), try to add the ip any any acl on the guest network and see if it works. Another thing you should know is that PIX/ASA by design does not allow you to ping/reach an interface from an opposite interface, for example, I cann't ssh outside interface from inside interface regardless of the security levels.
Ou! Sorry this was a typo! Outside level is 0. So packet flow is from guest interface to outside and then back in to the outside interface. Is this possible?
No worries :). When packet flow comes from guest network and reaches the outside interface it should exist that outside interface, goes to the next hop and then it would come back, you would not be able to make that traffic to make a u-turn on the outside interface without existing out of it, the u-turn would be done on the same interface on which the traffic arrives, but if it leaves the interface and pass through the ASA the u-turn would not be done, that's because when ASA pass through the traffic from an interface to another it assumes that the traffic should exit out an interface, but if you are sending traffic in inbound direction let's say on the outside interface, and you want to make the u-turn of that traffic then you would be able to do so on the same interface, means the traffic would enter that outside interface and makes the u-turn before passing through the ASA so exist again out of the outside interface.
Thanks again for your detailed explanations! So my assumption that this won't work is unfortunately true. Maybe I will install a second firewall for the guest network or enable webvpn on the guest interface itself (I know that this will result in a certificate error but that doesn't matter). They will use this connetion for testing purpose only.
For the first solution I have to use DNS rewriting (otherwise the client VPN address points to the outside interface of the ASA). Until now I only configured this stuff for internal servers together with NAT. Is it possible to rewrite an A record to the interface address of the ASA itself? I don't think so:)
I don't think so Matt, since as mentioned before, asa won't allow you to reach one of its interfaces from an opposite one, but it worth lab it up.
Please have a look at these links: