Hairpinning SSL VPN Clients on IOS router w/IPSEC GRE Tunnels

swharvey · ‎07-29-2009

Is it possible to terminate sslvpn anyconnect clients on a cisco router w/security ios that also has ipsec gre tunnels via the same external interface, and have the sslvpn anyconnect clients traffic traverse the ipsec tunnels to other destinations? What I'm looking for is similar to the "Hairpinning" capability on the ASA firewalls.

If so, what examples of acl's/routes would be needed for the router configuration.

Thanks in advance,

-Scott

Roman Rodichev · ‎07-30-2009

Yes, this is possible. I'm doing this on my 1841 at home.

Your IPSEC+GRE tunnels will be setup as usual. SSLVPN will have an ip pool associated, for example:

ip local pool svc-pool 172.16.2.1 172.16.2.253

!

webvpn context sslvpn

policy group sslvpn

svc address-pool "svc-pool"

If you want to advertise this subnet dynamically to GRE sites, configure a static route to null0:

ip route 172.16.2.0 255.255.255.0 null0

and then redistributed it into your IGP. Let me know if you need help with that.

Also, make sure your SSLVPN split-tunneling policy (if you have one), includes subnets at the remote GRE sites. I'm assigning this policy on ACS via Radius.

Regards,

Roman

ROBERTO TACCON · ‎08-03-2009

Hi Roman,

may I ask you how I can see the with the IOS wich users are connected with VPN SSL ? and with IPsec C2L ?

Thanks in advance.

Roberto Taccon

Roman Rodichev · ‎08-03-2009

Two separate commands:

VPN_Gateway#show webvpn session context all

WebVPN context name: sslvpn

Client_Login_Name Client_IP_Address No_of_Connections Created Last_Used

xxx xx.xxx.xx.xxx 1 04:51:55 00:00:01

VPN_Gateway#show crypto session brief

Status: A- Active, U - Up, D - Down, I - Idle, S - Standby, N - Negotiating

K - No IKE

ivrf = (none)

Peer I/F Username Group/Phase1_id Uptime Status

xxx.xx.xxx.xx Fa0/0 xxxxxXXXX xxxxxxxx 00:18:50 UA

Regards,

Roman