Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

RA IPSEC - enable hairpinning but restricting access to web

ASA5520     8.2(5)30

Greetings,

I have an IPSEC RA policy that's set up to tunnel all traffic (no split-tunnel) through the ASA (terminates on the outside interface).  I need to be able to allow thesesame VPN users to access one web page (hairpinning) on the outside interface.

++++++++++++++++++++++++++++++

Here are the current settings:

group-policy L-Admins internal

group-policy L_Admins attributes

wins-server value 172.16.0.33 172.16.0.9

dns-server value 172.16.0.33 172.16.0.9

vpn-idle-timeout 60

vpn-session-timeout 480

vpn-filter value l-admin-filter

     access-list l-admin-test-filter extended permit ip 172.30.4.0 255.255.255.252 host 172.16.0.33

     access-list l-admin-test-filter extended permit ip 172.30.4.0 255.255.255.252 host 172.16.0.9

     access-list l-admin-test-filter extended permit ip 172.30.4.0 255.255.252.252 host 172.16.1.4

     access-list l-admin-test-filter extended permit ip 172.30.4.0 255.255.252.252 host 172.16.1.2

     access-list l-admin-test-filter extended permit ip 172.30.4.0 255.255.252.252 10.24.0.0 255.252.0.0

     access-list l-admin-test-filter extended permit ip 172.30.4.0 255.255.252.252 host 172.16.0.233

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelall

default-domain value IHI.local

tunnel-group L_Admins type remote-access

tunnel-group L_Admins general-attributes

address-pool ili_global

authentication-server-group PhoneFactor

default-group-policy L_Admins

tunnel-group L_Admins ipsec-attributes

pre-shared-key *

++++++++++++++++++++++

Hairpinning is currently not enabled, so I assume I need to add:

same-security-traffic permit inter-interface

and (I assume)

ip local pool l_admins 172.30.4.1-172.30.4.2 mask 255.255.255.252

global (outside) 1 interface ***** PAT IP

nat (outside) 1 172.30.4.1-172.30.4.2 mask 255.255.255.252

But from here I don't know how to restrict access to a single external IP on the web over port 80.

1 ACCEPTED SOLUTION

Accepted Solutions
Super Bronze

RA IPSEC - enable hairpinning but restricting access to web

Hi,

The correct command to enable traffic enter and leave the same interface is

same-security-traffic permit intra-interface

The command you posted allows traffic between 2 different interfaces which have the same "security-level" value

same-security-traffic permit inter-interface

With regards to the Dynamic PAT for Internet traffic

If you have this already

global (outside) 1 interface

Then you will need the "nat" command for the VPN pool

nat (outside) 1 172.30.4.0 255.255.255.252

With regards to controlling the traffic towards Internet, shouldnt you be able to simply add that destination server IP address to the VPN Filter ACL you already have in use? I mean the ACL named "l-admin-test-filter".

For example

access-list l-admin-test-filter remark Allow external server connection

access-list l-admin-test-filter permit tcp 172.30.4.0 255.255.255.252 host eq 80

access-list l-admin-test-filter permit tcp 172.30.4.0 255.255.255.252 host eq 443

access-list l-admin-test-filter permit tcp 172.30.4.0 255.255.255.252 host eq 8080

- Jouni

4 REPLIES
Super Bronze

RA IPSEC - enable hairpinning but restricting access to web

Hi,

The correct command to enable traffic enter and leave the same interface is

same-security-traffic permit intra-interface

The command you posted allows traffic between 2 different interfaces which have the same "security-level" value

same-security-traffic permit inter-interface

With regards to the Dynamic PAT for Internet traffic

If you have this already

global (outside) 1 interface

Then you will need the "nat" command for the VPN pool

nat (outside) 1 172.30.4.0 255.255.255.252

With regards to controlling the traffic towards Internet, shouldnt you be able to simply add that destination server IP address to the VPN Filter ACL you already have in use? I mean the ACL named "l-admin-test-filter".

For example

access-list l-admin-test-filter remark Allow external server connection

access-list l-admin-test-filter permit tcp 172.30.4.0 255.255.255.252 host eq 80

access-list l-admin-test-filter permit tcp 172.30.4.0 255.255.255.252 host eq 443

access-list l-admin-test-filter permit tcp 172.30.4.0 255.255.255.252 host eq 8080

- Jouni

New Member

RA IPSEC - enable hairpinning but restricting access to web

Hi Jouni,

Thanks so much for the prompt reply.  I will add the nat and acl statements and report back.

-Tom

New Member

Re: RA IPSEC - enable hairpinning but restricting access to web

Jouni-

Worked like a charm!!

Thanks fr your help

Super Bronze

RA IPSEC - enable hairpinning but restricting access to web

Hi,

Great to hear that its working as expected

- Jouni

198
Views
0
Helpful
4
Replies
CreatePlease to create content