topic Hairpinning on 8.4 ASA 5505 and above in Network Security

Hairpinning on 8.4 ASA 5505 and above

ken.montgomery — Tue, 12 Mar 2019 02:38:19 GMT

So, we have put in a branch with only an ASA. We want to be able to reach the inside interface of the ASA, so that we can use tools for network monitoring, etc. on it.

The inside interface is unreachable from remote VPN locations, though can be reached from inside, and all inside hosts are reachable from the VPN... I have the same-security interface commands in place, but still no go...

I'm missing something, but the nat commands I'm finding are for older versions, and I'm not sure where the problem occurs. Any help/suggestions are appreciated...

Relevant parts of the config (I think I have them all) listed below:

: Saved

ASA Version 8.4(5)

interface Ethernet0/0

switchport access vlan 2

interface Ethernet0/1

speed 100

duplex full

interface Vlan1

description LAN_NETWORK

interface Vlan2

nameif outside

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network obj_any

subnet 0.0.0.0 0.0.0.0

object-group network REMOTE_NETWORKS

description REMOTE LOCAL NETWORKS

network-object 10.15.6.0 255.255.254.0

object-group network LAN_NETWORKS

network-object 10.1.3.0 255.255.255.0

access-list CORPORATE_VPN_ACL extended permit ip object-group REMOTE_NETWORKS object-group LAN_NETWORKS

access-list INSIDE_NONAT extended permit ip object-group REMOTE_NETWORKS object-group LAN_NETWORKS

ip verify reverse-path interface inside

ip verify reverse-path interface outside

nat (inside,outside) source static REMOTE_NETWORKS REMOTE_NETWORKS destination static LAN_NETWORKS LAN_NETWORKS

nat (inside,outside) source static REMOTE_NETWORKS REMOTE_NETWORKS destination static NETWORK_MGMT NETWORK_MGMT route-lookup

nat (inside,outside) source dynamic any interface

object network obj_any

nat (inside,outside) dynamic interface

Hairpinning on 8.4 ASA 5505 and above

Jouni Forss — Fri, 13 Sep 2013 14:55:48 GMT

Hi,

To reach the "inside" interface through a L2L VPN or Client VPN you will have to add the following global configuration

management-access inside

This will enable you to ICMP the "inside" interface from a site thats behind the VPN connection. Otherwise its not possible

This will also give you the ability to manage the ASA using the IP address of the "inside" interface through the VPN connection.

Hope this helps

- Jouni

Hairpinning on 8.4 ASA 5505 and above

Jouni Forss — Fri, 13 Sep 2013 14:58:36 GMT

Also,

I would like to confirm the NAT configuration you have above.

It states the source interface as "inside" and destination as "outside". Yet is has an source "object" called REMOTE_NETWORKS which kind of seems strange. But as you say that the connections work through the VPN connection I guess this "object" name rather refers that the network behind "inside" is the network of a remote location?

- Jouni

Hairpinning on 8.4 ASA 5505 and above

ken.montgomery — Fri, 13 Sep 2013 14:58:48 GMT

management-access inside is already enabled. Not the answer. Thanks for the suggestion though!

Re: Hairpinning on 8.4 ASA 5505 and above

Jouni Forss — Fri, 13 Sep 2013 15:00:46 GMT

Hi,

The general form of NAT you should use for the L2L VPN connections is

object network LAN

subnet

object network REMOTE-LAN

subnet

nat (inside,outside) source static LAN LAN destination static REMOTE-LAN REMOTE-LAN route-lookup

I cant be sure if your NAT configuration are correct as you have removed the "inside" interface IP address and have not shared the VPN configuration or routing configuration.

- Jouni

Hairpinning on 8.4 ASA 5505 and above

ken.montgomery — Fri, 13 Sep 2013 15:03:28 GMT

The nat statement is as above right now. Whether it is perfect or not, unknown. Potentially it might need to be inside, inside, but since the VPN connection is to the remote end of the network, not sure what that will affect. Might need some more insight into that ...

Hairpinning on 8.4 ASA 5505 and above

ken.montgomery — Fri, 13 Sep 2013 15:06:38 GMT

I think you're getting hung up on the terminology.

Change the word Remote to branch and it makes more sense. Let me try to explain:

: Saved

ASA Version 8.4(5) <--- Version on AsA for reference

interface Ethernet0/0

switchport access vlan 2

interface Ethernet0/1

speed 100

duplex full

interface Vlan1

description LAN_NETWORK

interface Vlan2

nameif outside

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network obj_any

subnet 0.0.0.0 0.0.0.0

object-group network BRANCHOFFICE_NETWORKS <--- This is the ASA at the Branch Office, so this is its internal network

description BRANCHOFFICE LOCAL NETWORKS

network-object 10.15.6.0 255.255.254.0

object-group network LAN_NETWORKS <--- These are the networks (there are more than this) at the corporate office

network-object 10.1.3.0 255.255.255.0

access-list CORPORATE_VPN_ACL extended permit ip object-group BRANCHOFFICE_NETWORKS object-group LAN_NETWORKS

access-list INSIDE_NONAT extended permit ip object-group BRANCHOFFICE_NETWORKS object-group LAN_NETWORKS

ip verify reverse-path interface inside

ip verify reverse-path interface outside

nat (inside,outside) source static BRANCHOFFICE_NETWORKS BRANCHOFFICE_NETWORKS destination static LAN_NETWORKS LAN_NETWORKS

nat (inside,outside) source static BRANCHOFFICE_NETWORKS BRANCHOFFICE_NETWORKS destination static NETWORK_MGMT NETWORK_MGMT route-lookup

nat (inside,outside) source dynamic any interface

object network obj_any

nat (inside,outside) dynamic interface

Thus, I believe the nat statement already covers what you stated.

Hairpinning on 8.4 ASA 5505 and above

Jouni Forss — Fri, 13 Sep 2013 15:06:58 GMT

Hi,

I am not sure what part of this situation is Hairpinning

I understood that you were trying to reach the "inside" interface through the L2L VPN or VPN Client connection.

I would really need to see more configurations to determine if there is any problem with the configurations.

- Jouni

Hairpinning on 8.4 ASA 5505 and above

Jouni Forss — Fri, 13 Sep 2013 15:09:36 GMT

Hi,

What is the source network for the connections that are trying to reach the ASA "inside" interface?

- Jouni

Hairpinning on 8.4 ASA 5505 and above

ken.montgomery — Fri, 13 Sep 2013 15:11:54 GMT

Answer is the route-lookup is missing on the end of the nat command.

Fixed nat command is this:

nat (inside,outside) source static BRANCHOFFICE_NETWORKS BRANCHOFFICE_NETWORKS destination static LAN_NETWORKS LAN_NETWORKS route-lookup

Thanks for the help.