Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Hairpin VPN to another firewall

Hi,

I have a tunnel between our office and colation facility. All external http/s traffic enters the firewall in our office. I need to redirect http traffic entering the outside of the office ASA to the webserver located in the colo over the existing tunnel. Any help is appreciated. I am running 8.2(2) code.

Thanks,

Bill

Everyone's tags (3)
3 REPLIES
Super Bronze

Re: Hairpin VPN to another firewall

Hi,

So you want to host a Web server running at a remote location through the main site using an existing L2L VPN connection?

I would imagne the first thing you need is to configure Static NAT or Static PAT for your remote locations server. You should also confirm that you have the setting that enables Hairpinning / U-turn on the "outside" interface.

same-security-traffic permit intra-interface

static (outside,outside) netmask 255.255.255.255

static (outside,outside) tcp 443 443 netmask 255.255.255.255

static (outside,outside) tcp 80 80 netmask 255.255.255.255

The above options would do a Static NAT or Static PAT for the server located behind the L2L VPN connection

I am not sure are you planning to use the "outside" interface IP address with Static PAT (Port Forward) or Static NAT with a public IP address that will be dedicated for this server. You should take into consideration that if you use the ASA interface public IP address then the ASA by default uses the port TCP/443 for SSL VPN and ASDM management.

You would also require a Dynamic Policy PAT configuration. You should PAT all the traffic coming from the Internet to a single IP Address before it heads through the L2L VPN so that you wont have to forward all of the servers external traffic through the L2L VPN. The IP address to which you PAT the traffic coming from the Internet could be an IP address configured on the L2L VPN already. For example an unused local IP address from the main sites LAN network that currently uses the L2L VPN

access-list REMOTE-WEB-POLICYPAT remark Dynamic Policy PAT for remote Web server

access-list REMOTE-WEB-POLICYPAT permit tcp any host eq 80

access-list REMOTE-WEB-POLICYPAT permit tcp any host eq 443

nat (outside) 200 access-list REMOTE-WEB-POLICYPAT

global (outside) 200

The above NAT configuration would do Dynamic PAT for all the Internet source addresses that were contacting the NAT IP address we previously configured for the remote server.

To my understanding the above is the basic things needed to achieve this. One main thing is to remember that after the source address has been translated (Dynamic Policy PAT) and the destination address has been untranslated (Static NAT or Static PAT) , they have to match the current L2L VPN Encryption domain. So make sure the L2L VPN configurations allow for this traffic to be tunneled.

Some naturally depends on your current setup/configuration which we dont know

- Jouni

New Member

Hi Journi,I created the

Hi Jouni,

I created the attached configuration plan based on your config details and some other documentation I pulled from the web.

Can you please take a brief look at my configuration details and see if there is something visibly wrong here?

I added all configurations, and in the end I received the following error:

global address overlaps with mask

Here is a snippit of my ssh session:

ASA# conf t
ASA(config)#same-security-traffic permit intra-interface (Note: Already existed, just placed here for reference)

ASA(config)#access-list COLO2OFFICENAT-1 extended permit ip 192.168.79.0 255.255.255.0 host 67.248.74.65
ASA(config)#access-list COLO2OFFICENAT-2 extended permit ip 192.168.79.0 255.255.255.0 host 209.177.206.151

ASA(config)# static (outside,outside) 209.177.206.151 access-list COLO2OFFICENAT-1
global address overlaps with mask
ASA(config)# static (outside,outside) 209.177.206.151 access-list COLO2OFFICENAT-2
global address overlaps with mask
ASA(config)#
ASA(config)# sh log | inc 67.248.74.65
Mar 25 2014 19:05:45: %ASA-6-302013: Built inbound TCP connection 86533163 for outside:192.168.79.200/54564 (192.168.79.200/54564) to outside:67.248.74.65/443 (67.248.74.65/443)
Mar 25 2014 19:05:54: %ASA-6-302014: Teardown TCP connection 86532834 for outside:192.168.79.200/54551 to outside:67.248.74.65/443 duration 0:00:30 bytes 0 SYN Timeout
Mar 25 2014 19:05:54: %ASA-6-302014: Teardown TCP connection 86532835 for outside:192.168.79.200/54552 to outside:67.248.74.65/443 duration 0:00:30 bytes 0 SYN Timeout
Mar 25 2014 19:06:15: %ASA-6-302014: Teardown TCP connection 86533163 for outside:192.168.79.200/54564 to outside:67.248.74.65/443 duration 0:00:30 bytes 0 SYN Timeout
ASA(config)#

From packet captures, I am able to see traffic arriving at SITE B, from SITE A.

However, the traffic does not get translated to the Global NAT [209.177.206.151] after it arrives, which is required in order to pass to Site C.

Config details from Site B are noted below, if you have any suggestions, your help is much appreciated!

 

Thanks,

Ecanyon

 

Below is some of the config data from Site B

ASA Version 8.2(5)
!
Interfaces
----------
interface GigabitEthernet0/0
 description Outside Interface
 duplex full
 nameif outside
 security-level 0
 ip address 209.177.206.15 255.255.255.0
!
interface GigabitEthernet0/1
 description Inside Network (192.168.229.0/24)
 speed 100
 duplex full
 nameif inside
 security-level 100
 ip address 192.168.229.1 255.255.255.0
!

Elements
--------
object-group network COLO_IPs
 network-object host 67.248.74.65
 network-object host 67.248.74.68
 network-object host 67.248.74.69
 network-object host 67.248.74.70
 network-object host 67.248.74.71
 network-object host 67.248.74.59

ACLs
----
access-list inside-no-nat extended permit ip 192.168.229.0 255.255.255.0 192.168.79.0 255.255.255.0
access-list inside-no-nat extended permit ip 192.168.79.0 255.255.255.0 object-group COLO_IPs

access-list ENCDOM100 extended permit ip 192.168.229.0 255.255.255.0 192.168.79.0 255.255.255.0
access-list ENCDOM100 extended permit ip object-group COLO_IPs 192.168.79.0 255.255.255.0

access-list ENCDOM101 remark Site B connectivity to Site C
access-list ENCDOM101 extended permit ip host 209.177.206.151 object-group COLO_IPs

access-list COLO2OFFICENAT-1 extended permit ip 192.168.79.0 255.255.255.0 host 67.248.74.65
access-list COLO2OFFICENAT-2 extended permit ip 192.168.79.0 255.255.255.0 host 209.177.206.151

NATs/Routes
-----------
global (outside) 1 209.177.206.151 netmask 255.0.0.0
nat (inside) 0 access-list inside-no-nat
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 209.177.206.254 1

Site A Peer
-----------
crypto map outside_map 29 match address ENCDOM100
crypto map outside_map 29 set peer 64.190.206.98

Colo Peer
--------
crypto map outside_map 87 match address ENCDOM101
crypto map outside_map 87 set peer 67.248.74.61

New Member

Hi Journi,I created the

See below

519
Views
0
Helpful
3
Replies