Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Hairpinning on ASA 5505

I am doing VPN proof of concept testing on my ASA 5505 in preparation for migration to two other 5510s. I have set up two VPN groups; one that allows for split tunneling, but grants user access in the internal NAT'ed network and one that does hairpinning, forcing the user back out on the same interface using a viable IP address range.

The former is working just fine, but I am having problems getting the latter to work.

I can connect to any server on the internal network but cannot route back to the Internet. I am using an internal DNS server in the internal network and it can resolve IP addresses no problem.

I suspect I am missing something relatively minor. Can someone take a look at my 5505 config and let me know what is happening?

I have this set up within my work network, 192.168.252.0/24. The outside IP of the firewall is 192.168.252.76 (DHCP assigned) and the internal network behind the firewall is 192.168.1.0/24. The VPN IP address range is 192.168.2.0/26. I have a Linux test server sitting behind the firewall using 192.168.1.2, which I can access just fine using the split tunneling and the hairpin method. But after connecting to the firewall using hairpinning and NO split tunneling, all my other outside connections drop.

Thanks in advance.

1 ACCEPTED SOLUTION

Accepted Solutions
Green

Re: Hairpinning on ASA 5505

The vpn clients are considered to be sourced from whichever interface the vpn is terminating on. In your case, the outside interface. If you wanted to pat the vpn clients on the outside interface to 64.xx.xx.96 address.

global (outside) 2 64.xx.xx.96 255.255.255.224

nat (outside) 2 192.168.2.64 255.255.255.192

10 REPLIES
Green

Re: Hairpinning on ASA 5505

You are missing a nat statement.

nat (outside) 1 192.168.2.64 255.255.255.192

New Member

Re: Hairpinning on ASA 5505

Yep. I missed that. Once I put it in, I was able to hairpin no problem.

On a related note (and if I need to open another conversation I will), how can I assign users who are hairpinning back out a valid outside IP address?

For example, users connect from home to our outside IP address on the firewall/VPN. They hairpin back out and are given a new IP address from our /25 block of IPs.

So, rather than getting an IP from the 192.168.2.0 /24 subnet used by VPN users, can I assign all outgoing or hairpinned connections something from the 64.xx.xx.96 /27 subnet?

Thanks again.

Green

Re: Hairpinning on ASA 5505

Is this what you're asking? Or do you want to change the vpn pool from 192.168.2.x to 66.xx.xx.x?

global (outside) 2 64.xx.xx.96 255.255.255.224

nat (outside) 2 192.168.2.64 255.255.255.192

Please rate helpful posts.

New Member

Re: Hairpinning on ASA 5505

Based on what I read (and I could be wrong), the vpnpool is simply a different subnet of IP addresses assigned to VPN users, not intended for Internet routing. They do not use this IP address range for external connections.

I would like these VPN users to be assigned a valid, routeable IP address from my outside block.

I tried manually adding these outside IP addresses (64.xx.xx.96), but the firewall complains of overlap with the outside interface.

Am I misunderstanding this then?

Green

Re: Hairpinning on ASA 5505

Typically, you assign the vpn clients a private pool. If they need to be routable you can nat them during the hairpin to those 64.x addresses.

New Member

Re: Hairpinning on ASA 5505

Ahh... gotcha. That makes sense.

One last question, not certain how the GUI manages this as I am not certain whether to create the NAT rule on the inside, outside, dmz, or media interface.

It's easy enough when I have only two interfaces, outside and inside. What about the other interfaces? Is the vpnpool assigned to a specific interface?

Is there a simple CLI command to do this?

Much appreciated.

Green

Re: Hairpinning on ASA 5505

The vpn clients are considered to be sourced from whichever interface the vpn is terminating on. In your case, the outside interface. If you wanted to pat the vpn clients on the outside interface to 64.xx.xx.96 address.

global (outside) 2 64.xx.xx.96 255.255.255.224

nat (outside) 2 192.168.2.64 255.255.255.192

New Member

Re: Hairpinning on ASA 5505

Much appreciated. That did the trick.

Was able to configure on both ASDM and CLI.

Very cool.

New Member

Re: Hairpinning on ASA 5505

Does anyone know if it is possible to do the hairpin on an IOS FW setup? If so what is the trick? There isn't an interface to put the "nat inside" on for the ipsec client. Thanks.

Re: Hairpinning on ASA 5505

Yes you can, use a loopback interface.

http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_configuration_example09186a008073b06b.shtml

PLS rate any helpful post

Rgds

Jorge

2670
Views
4
Helpful
10
Replies