Solved: Anyconnect Hairpin to WAN outside

Firestar_ISH · ‎02-07-2019

Hi Everyone

Been having some problems getting a NAT statement to work, and hope there are anyone that can help me.

the basic idea is that I need to be able to redirect the VPN connection out though the Cisco ASA 5506-x unit, so that the clients WAN t address gets translated to the OUTSIDE wan link on the Cisco asa Unit

So far its working. When I connect to the VPN, the wan address changes to the Outside IP and I can access a webserver that needs the right address to work.

the stange thing is that if I enable the rule, all normal NAT / ACL from normal Outside to Inside for a webserver on the clients inside, stops working !

so right now i can choose between having hairpin or having Access to servers from the outside.

here is the NAT Rules I created.

Hairpin:

nat (outside,outside) source dynamic NETWORK_OBJ_INTERNALVPNPOOL interface

NAT Rule for server + ACL allowing trafic from outside to inside:
nat (DMZ,outside) static interface net-to-net no-proxy-arp service tcp http http

Any ideas ?

Karsten Iwen · ‎02-07-2019

you have to move your hairpin-NAT-rule to the third NAT-section:

no nat (outside,outside) source dynamic NETWORK_OBJ_INTERNALVPNPOOL interface
nat (outside,outside) after-auto source dynamic NETWORK_OBJ_INTERNALVPNPOOL interface

View solution in original post

Karsten Iwen · ‎02-07-2019

you have to move your hairpin-NAT-rule to the third NAT-section:

no nat (outside,outside) source dynamic NETWORK_OBJ_INTERNALVPNPOOL interface
nat (outside,outside) after-auto source dynamic NETWORK_OBJ_INTERNALVPNPOOL interface

Firestar_ISH · ‎02-07-2019

Hallo Karsten

I can confirm that, after I moved the Rule, it worked !

Why does moving the rule below, make any diffrence ? :)

Karsten Iwen · ‎02-08-2019

The rules are processed top-down. And the general PAT-rules to the internet always have to be at the end of that list.