Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
682
Views
0
Helpful
2
Replies

ASA5520 Hairpinning for VPN

bas2
Level 1
Level 1

‎10-14-2018 11:38 PM - edited ‎02-21-2020 08:21 AM

Hi:

 

I have an ASA 5520 configured only for vpn termination. It is not the network's firewall, security appliance, etc.

 

On the primary firewall (non Cisco) I have hairpinning set up to allow local client to access publicly natted resouces by the public ip.

When vpn clients connect, the client cannot access the publicly natted resources (I assume due to the incorrectly set nat rules on the asa NOT the primary firewall).

 

An easy way to get this working would be split dns, but I don't want to implement that unless there is no way around it.

 

The asa has a single interface (gbe0). I need to set the nat rules to allow vpn clients to access local resources by the public ip/fqdn.

 

My main issue is not being well versed with the ASA's nat procedure/terminology.

 

Thanks!

0 Helpful
2 Replies 2

Marius Gunnerud
VIP
VIP

‎10-15-2018 11:04 AM

Is this a site 2 site VPN or AnyConnect VPN?

 

From what I understand of your issue is that you want to access internal resource by their public IPs, and the internal DNS servers you are using for resolution is translating to the internal IP and not the public IP?

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

bas2
Level 1
Level 1
In response to Marius Gunnerud

‎10-15-2018 12:46 PM - edited ‎10-15-2018 12:50 PM

Marius:

 

Thanks for your reply.

 

Sort of, not quite. I utilize split dns only for exchange. All other publicly natted hosts are on external records.

 

My issue is only when users are connected to the vpn. Otherwise all services lookup normally.

 

While connected, if a user were to take any natted resource and access it by its public ip (20.1.1.1:8443) it is blocked.

If they access via the private ip (10.1.1.1:8443) it is accessible.

 

I assume this to be a hairpinning issue. Also keep in mind the asa is only used to terminate the vpn. It is not the primary firewall, etc.

 

This situation is unique in that it only shows up for vpn users. I assume this is because they are subject to the asa nat rules at this point. I am not as familiar with setting those rules, which is my issue.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card