Announcement

Collapse
No announcement yet.

VPN Hair pinning

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • VPN Hair pinning

    Hi,

    I am trying to get our users that use the cisco client vpn to have access to the networks across our site to site VPN.

    The client terminate on the same asa that has the site to site vpn and thus I am trying to enable hair pinning.

    I have tried following a few guides online but cant seem to get it working, I try to ping a host on the remote network when connected and get no reply.

    Please could someone take a look at my config and setup below and let me know if this is correct.

    I dont have access to the remote sites firewall but have been told that they have added a nat exemption rule and an entry to the site to site traffic access list for the Client VPN network(10.1.1.0 255.255.255.0)

    Any help is appreciated

    Thanks


    Client VPN 10.1.1.0 255.255.255.0
    Local Site Network: 172.16.0.0 255.255.255.0
    Remote Site Network 1: 192.168.1.0 255.255.255.0
    Remote Site Network 2: 192.168.2.0 255.255.255.0
    Remote Site Network 3: 192.168.3.0 255.255.255.0
    Remote Site Network 4: 192.168.4.0 255.255.255.0


    -Related Config-
    same-security-traffic permit intra-interface
    object-group network Remote_Network
    network-object 192.168.1.0 255.255.255.0
    network-object 192.168.2.0 255.255.255.0
    network-object 192.168.3.0 255.255.255.0
    network-object 192.168.4.0 255.255.255.0

    object-group network Local_Network
    network-object 172.16.2.0 255.255.255.0
    network-object 172.16.1.0 255.255.255.0

    access-list outside_access_in extended permit tcp any interface outside eq https
    access-list nonat extended permit ip object-group Local_Network object-group Remote_Network
    access-list nonat extended permit ip 172.16.0.0 255.255.0.0 10.1.1.0 255.255.255.0
    access-list S2S_VPN extended permit ip object-group Local_Network object-group Remote_Network
    access-list S2S_VPN extended permit ip 10.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0
    access-list S2S_VPN extended permit ip 10.1.1.0 255.255.255.0 192.168.2.0 255.255.255.0
    access-list S2S_VPN extended permit ip 10.1.1.0 255.255.255.0 192.168.3.0 255.255.255.0
    access-list S2S_VPN extended permit ip 10.1.1.0 255.255.255.0 192.168.4.0 255.255.255.0
    access-list split_tunnel standard permit 172.16.0.0 255.255.0.0
    access-list split_tunnel standard permit 192.168.1.0 255.255.255.0
    access-list split_tunnel standard permit 192.168.2.0 255.255.255.0
    access-list split_tunnel standard permit 192.168.3.0 255.255.255.0
    access-list split_tunnel standard permit 192.168.4.0 255.255.255.0
    ip local pool vpn-pool 10.1.1.1-10.1.1.50
    global (outside) 1 interface
    nat (inside) 0 access-list nonat
    nat (inside) 1 0.0.0.0 0.0.0.0
    static (inside,outside) tcp interface https 172.16.2.5 https netmask 255.255.255.255
    access-group outside_access_in in interface outside
    route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto dynamic-map dynmap 9 set transform-set ESP-3DES-SHA
    crypto map transam 1 match address S2S_VPN
    crypto map transam 1 set peer x.x.x.x
    crypto map transam 1 set transform-set ESP-3DES-SHA
    crypto map transam 9 ipsec-isakmp dynamic dynmap
    crypto map transam interface outside
    crypto isakmp identity hostname
    crypto isakmp enable outside
    crypto isakmp policy 2
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    no crypto isakmp nat-traversal


    group-policy ClientVPN internal
    group-policy ClientVPN attributes
    dns-server value 172.16.2.2
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value split_tunnel
    tunnel-group ClientVPN type remote-access
    tunnel-group ClientVPN general-attributes
    address-pool vpn-pool
    authentication-server-group vpn_auth
    default-group-policy ClientVPN
    tunnel-group ClientVPN ipsec-attributes
    pre-shared-key *
    tunnel-group x.x.x.x type ipsec-l2l
    tunnel-group x.x.x.x ipsec-attributes
    pre-shared-key *

  • #2
    Re: VPN Hair pinning

    Do you have a route to the remote client?



    crypto dynamic-map dynmap 9 set transform-set ESP-3DES-SHA

    crypto dynamic-map dynmap 9 set reverse-route


    Also to rule out an ACL's on your ASA:

    sysopt connection permit-vpn

    This will allow all vpn traffic to bypass an ACL's on your interfaces
    CCNA, CCNA-Security, CCNP
    CCIE Security (In Progress)

    Comment


    • #3
      Re: VPN Hair pinning

      You may also need to add your remote-client pool to your no-nat ACL so when traffic hits the outside interface of your asa destined to a remote network it doesn't get natted.


      access-list nonat extended permit ip object-group Local_Network object-group Remote_Network
      access-list nonat extended permit ip 172.16.0.0 255.255.0.0 10.1.1.0 255.255.255.0

      access-list nonat extended permit ip 10.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0
      access-list nonat extended permit ip 10.1.1.0 255.255.255.0 192.168.2.0 255.255.255.0
      access-list nonat extended permit ip 10.1.1.0 255.255.255.0 192.168.3.0 255.255.255.0
      access-list nonat extended permit ip 10.1.1.0 255.255.255.0 192.168.4.0 255.255.255.0

      or


      access-list nonat extended permit ip 10.1.1.0 255.255.255.0 object-group Remote_Network
      CCNA, CCNA-Security, CCNP
      CCIE Security (In Progress)

      Comment


      • #4
        Re: VPN Hair pinning

        Thanks for the suggestions.

        I have run:
        sysopt connection permit-vpn

        and added the nonat rules and the reverse-route on the dynamic-map crypto.

        But this is still not working, cant ping or access any hosts at the remote network.

        Anything else that might be wrong with my config?

        Here is the updated config:
        object-group network Remote_Network
        network-object 192.168.1.0 255.255.255.0
        network-object 192.168.2.0 255.255.255.0
        network-object 192.168.3.0 255.255.255.0
        network-object 192.168.4.0 255.255.255.0
        object-group network Local_Network
        network-object 172.16.2.0 255.255.255.0
        network-object 172.16.1.0 255.255.255.0
        access-list outside_access_in extended permit tcp any interface outside eq https
        access-list nonat extended permit ip object-group Local_Network object-group Remote_Network
        access-list nonat extended permit ip 172.16.0.0 255.255.0.0 10.1.1.0 255.255.255.0
        access-list nonat extended permit ip 10.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0
        access-list nonat extended permit ip 10.1.1.0 255.255.255.0 192.168.2.0 255.255.255.0
        access-list nonat extended permit ip 10.1.1.0 255.255.255.0 192.168.3.0 255.255.255.0
        access-list nonat extended permit ip 10.1.1.0 255.255.255.0 192.168.4.0 255.255.255.0
        access-list S2S_VPN extended permit ip object-group Local_Network object-group Remote_Network
        access-list S2S_VPN extended permit ip 10.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0
        access-list S2S_VPN extended permit ip 10.1.1.0 255.255.255.0 192.168.2.0 255.255.255.0
        access-list S2S_VPN extended permit ip 10.1.1.0 255.255.255.0 192.168.3.0 255.255.255.0
        access-list S2S_VPN extended permit ip 10.1.1.0 255.255.255.0 192.168.4.0 255.255.255.0
        access-list split_tunnel standard permit 172.16.0.0 255.255.0.0
        access-list split_tunnel standard permit 192.168.1.0 255.255.255.0
        access-list split_tunnel standard permit 192.168.2.0 255.255.255.0
        access-list split_tunnel standard permit 192.168.3.0 255.255.255.0
        access-list split_tunnel standard permit 192.168.4.0 255.255.255.0
        ip local pool vpn-pool 10.1.1.1-10.1.1.50
        global (outside) 1 interface
        nat (inside) 0 access-list nonat
        nat (inside) 1 0.0.0.0 0.0.0.0
        static (inside,outside) tcp interface https 172.16.2.5 https netmask 255.255.255.255
        access-group outside_access_in in interface outside
        route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
        dynamic-access-policy-record DfltAccessPolicy
        crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
        crypto dynamic-map dynmap 9 set transform-set ESP-3DES-SHA
        crypto dynamic-map dynmap 9 set reverse-route
        crypto map transam 1 match address S2S_VPN
        crypto map transam 1 set peer x.x.x.x
        crypto map transam 1 set transform-set ESP-3DES-SHA
        crypto map transam 9 ipsec-isakmp dynamic dynmap
        crypto map transam interface outside
        crypto isakmp identity hostname
        crypto isakmp enable outside
        crypto isakmp policy 2
        authentication pre-share
        encryption 3des
        hash sha
        group 2
        lifetime 86400
        no crypto isakmp nat-traversal
        group-policy ClientVPN internal
        group-policy ClientVPN attributes
        dns-server value 172.16.2.2
        split-tunnel-policy tunnelspecified
        split-tunnel-network-list value split_tunnel
        tunnel-group ClientVPN type remote-access
        tunnel-group ClientVPN general-attributes
        address-pool vpn-pool
        authentication-server-group vpn_auth
        default-group-policy ClientVPN
        tunnel-group ClientVPN ipsec-attributes
        pre-shared-key *
        tunnel-group x.x.x.x type ipsec-l2l
        tunnel-group x.x.x.x ipsec-attributes
        pre-shared-key *
        !
        class-map inspection_default
        match default-inspection-traffic
        !
        !
        policy-map global_policy
        class inspection_default
        inspect ftp
        inspect h323 h225
        inspect h323 ras
        inspect netbios
        inspect rsh
        inspect rtsp
        inspect skinny
        inspect sqlnet
        inspect sunrpc
        inspect tftp
        inspect sip
        inspect xdmcp
        !
        service-policy global_policy global

        Comment


        • #5
          Re: VPN Hair pinning

          You will have to do some logging on the ASA to see whats going on. You need to know if those pings are actually going across the tunnel. Also check with the other end to see if they can see that traffic coming inbound to them. They may have some ACL's setup etc. If this is a live network then I recommend logging to syslog. Also use packet tracer in ASDM to see where the failure is occuring. It will tell you.

          You may also want to add icmp inspection on the default policy as it is not enabled by default.


          inspect icmp


          Also post a show route from the ASA
          Last edited by auglan; 22nd March 2012, 17:38.
          CCNA, CCNA-Security, CCNP
          CCIE Security (In Progress)

          Comment


          • #6
            Re: VPN Hair pinning

            auglan,

            I have added the inpect icmp to the default policy.

            here is the output from the shouw route:
            C x.x.x.x 255.255.255.252 is directly connected, outside
            C 172.16.0.0 255.255.0.0 is directly connected, inside
            S 10.1.1.1 255.255.255.255 [1/0] via x.x.x.x, outside
            S* 0.0.0.0 0.0.0.0 [1/0] via x.x.x.x, outside

            I will try looking at the ASDM packet tracer to see if I can find anything.

            Comment


            • #7
              Re: VPN Hair pinning

              When one of your remote clients connects to vpn you should see a /32 host route pointing back to that host in your routing table:

              You may want to verify that is happening.
              CCNA, CCNA-Security, CCNP
              CCIE Security (In Progress)

              Comment


              • #8
                Re: VPN Hair pinning

                Auglan,

                I think that is happeing you can see this line here:
                S 10.1.1.1 255.255.255.255 [1/0] via x.x.x.x, outside

                Which is a route for the cleint vpn when its connected.

                when I look at the logging on the ASDM i can see the traffic originating from the Client VPN destined for the remote network always results in a SYN Timeout

                6 Mar 22 2012 17:44:53 302013 10.1.1.1 51366 192.168.4.2 80 Built inbound TCP connection 661917 for outside:10.1.1.1/51366 (10.1.1.1/51366) to outside:192.168.4.2/80 (192.168.4.2/80)

                6 Mar 22 2012 17:45:23 302014 10.1.1.1 51366 192.168.4.2 80 Teardown TCP connection 661917 for outside:10.1.1.1/51366 to outside:192.168.4.2/80 duration 0:00:30 bytes 0 SYN Timeout

                I am not sure how to check the traffic is flowing correctly as far as I can see from the above it is going from outside to outside which is what we want.

                Thanks

                Comment


                • #9
                  Re: VPN Hair pinning

                  I would have them log on the other end to see whats going on. I am assuming that you can reach that host from your local network over the L2L tunnel? You could go into packet tracer and source some traffic from 10.1.1.1 to the remote host just to see if there are any issues there but it may be an issue on the other end.


                  Also make sure that the remote sites have the remote access pool in their crypto ACL and they also have a route back to 10.1.1.0/24
                  Last edited by auglan; 22nd March 2012, 20:46.
                  CCNA, CCNA-Security, CCNP
                  CCIE Security (In Progress)

                  Comment


                  • #10
                    Re: VPN Hair pinning

                    I can access the remote resourecs from the local network.

                    I will post an update once I have spoken with the other side.

                    Thanks

                    Comment


                    • #11
                      Re: VPN Hair pinning

                      Well,

                      Turns out it was an issue on the other side.

                      After that was resloved the config below worked.

                      and in the end i did not need to specify no nat between the client vpn and the remote network, but it didnt hurt it either way.

                      Thanks for all your help.

                      Comment


                      • #12
                        Re: VPN Hair pinning

                        Cool, what was the issue on the other side?
                        CCNA, CCNA-Security, CCNP
                        CCIE Security (In Progress)

                        Comment


                        • #13
                          Re: VPN Hair pinning

                          they were trying to route the client vpn range to another location and down the site to site vpn.

                          I dont have access to that firewall so cant be sure, but for certain it was configured incorrectly.

                          Comment


                          • #14
                            Re: VPN Hair pinning

                            Yeah its tough when you dont have access to all the pieces.
                            CCNA, CCNA-Security, CCNP
                            CCIE Security (In Progress)

                            Comment

                            Working...
                            X