Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1141
Views
0
Helpful
2
Replies

Changing from Split Tunnel to Hairpin

Go to solution
nullwolf78
Level 1
Level 1

‎05-13-2016 04:33 PM - edited ‎03-12-2019 12:45 AM

I'm going to preface this by stating that I am a total newbie when it comes to Cisco products.

I was tasked with setting up our new Cisco ASA 5506-x for use as a network firewall and to connect via VPN into our office.

I managed my way through the initial setup and was able to connect via the VPN etc... The beginning of this week, I was tasked with setting up to authenticate vs our Windows 2012 R2 AD. I got that going. Then with setting up 2-factor authorization. That's working as well. On to the problem at hand...

When I setup the VPN NAT rules, I decided to use split tunneling so that user Internet queries would go through their own connections. I managed to make that work. Yesterday, my boss came to me and said that he wanted to go from the split tunnel to having everything tunnel through the VPN connection. I assumed that this would be relatively simple. And I have managed to NOT be able to figure out how to change over from split tunnel to hairpinning. I can see how it's supposed to be, but I keep missing something. I'm assuming this is a problem with my NAT rules. I'm posting a sanitized version of the running-config. (I just restored to this a few minutes ago so that I can still VPN into the office as I have been.)

Please, if anyone has any insights into this, it would be exceedingly helpful.

Thank you,

~Robert~

: Hardware:   ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
: Written by enable_15 at 13:45:00.686 UTC Fri May 13 2016
!
ASA Version 9.5(2) 
!
hostname ciscoasa
domain-name <domain>
enable password <password> encrypted
names
ip local pool <pool> 192.168.2.200-192.168.2.240 mask 255.255.255.0
!
interface GigabitEthernet1/1
 nameif outside
 security-level 0
 ip address <company static IP> 255.255.255.248 
!
interface GigabitEthernet1/2
 nameif inside
 security-level 100
 ip address 192.168.2.1 255.255.255.0 
!
interface GigabitEthernet1/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/5
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/6
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/7
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/8
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management1/1
 management-only
 no nameif
 no security-level
 ip address 192.168.5.1 255.255.255.0 
!
ftp mode passive
dns domain-lookup outside
dns domain-lookup inside
dns server-group DefaultDNS
 name-server 8.8.8.8 outside
 name-server 8.8.4.4 outside
 domain-name <domain>
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network NETWORK_OBJ_192.168.2.192_26
 subnet 192.168.2.192 255.255.255.192
object network NETWORK_OBJ_192.168.3.0_24
 subnet 192.168.3.0 255.255.255.0
object network NETWORK_OBJ_192.168.2.0_24
 subnet 192.168.2.0 255.255.255.0
access-list <split> standard permit 192.168.2.0 255.255.255.0 
access-list outside_cryptomap extended permit ip 192.168.2.0 255.255.255.0 192.168.3.0 255.255.255.0 
access-list outside_cryptomap_1 extended permit ip 192.168.2.0 255.255.255.0 192.168.3.0 255.255.255.0 
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.2.192_26 NETWORK_OBJ_192.168.2.192_26 no-proxy-arp route-lookup
nat (inside,outside) source static NETWORK_OBJ_192.168.2.0_24 NETWORK_OBJ_192.168.2.0_24 destination static NETWORK_OBJ_192.168.3.0_24 NETWORK_OBJ_192.168.3.0_24 no-proxy-arp route-lookup
!
object network obj_any
 nat (any,outside) dynamic interface
route outside 0.0.0.0 0.0.0.0 97.79.161.97 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
aaa-server <RADIUSserver> protocol radius
aaa-server <RADIUSserver> (inside) host 192.168.2.15
 key <radiusKEY>
aaa-server <2factor> protocol ldap
aaa-server <2factor> (outside) host <2factorhost>
 timeout 60
 server-port 636
 ldap-base-dn <2factorinfo>
 ldap-naming-attribute cn
 ldap-login-password <2factorinfo>
 ldap-login-dn <2factorinfo>
 ldap-over-ssl enable
user-identity default-domain LOCAL
http server enable
http 192.168.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal AES256
 protocol esp encryption aes-256
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
 protocol esp encryption aes-192
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
 protocol esp encryption aes
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
 protocol esp encryption 3des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
 protocol esp encryption des
 protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set peer <companystaticIP2> 
crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 2 match address outside_cryptomap_1
crypto map outside_map 2 set peer <companystaticIP2> 
crypto map outside_map 2 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 2 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
 enrollment terminal
 crl configure
crypto ca trustpool policy
crypto ca certificate chain ASDM_TrustPoint0
<certificate>
  quit
crypto ikev2 policy 1
 encryption aes-256
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 10
 encryption aes-192
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 20
 encryption aes
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 30
 encryption 3des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 40
 encryption des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev1 enable outside
crypto ikev1 policy 20
 authentication rsa-sig
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 30
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 50
 authentication rsa-sig
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 60
 authentication pre-share
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 80
 authentication rsa-sig
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 90
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 110
 authentication rsa-sig
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 120
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 140
 authentication rsa-sig
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 150
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
no ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access inside

dhcpd auto_config outside
!
dhcpd address 192.168.2.200-192.168.2.240 inside
dhcpd dns 192.168.2.15 8.8.8.8 interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
 enable outside
 anyconnect image disk0:/anyconnect-win-4.2.03013-k9.pkg 1
 anyconnect image disk0:/anyconnect-linux-64-4.2.03013-k9.pkg 2
 anyconnect image disk0:/anyconnect-macosx-i386-4.2.03013-k9.pkg 3
 anyconnect profiles <acprofile> disk0:/<acprofile>.xml
 anyconnect enable
 tunnel-group-list enable
 cache
  disable
 error-recovery disable
group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec 
group-policy GroupPolicy_<companystaticIP2> internal
group-policy GroupPolicy_<companystaticIP2> attributes
 vpn-tunnel-protocol ikev1 ikev2 
group-policy GroupPolicy_<domain> internal
group-policy GroupPolicy_<domain> attributes
 wins-server none
 dns-server value 192.168.2.15 8.8.8.8
 vpn-tunnel-protocol ssl-client ssl-clientless
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value <split>
 default-domain value <domain>
 address-pools value <pool>
 webvpn
  url-list value arlington-bm
  anyconnect profiles value <acprofile> type user
dynamic-access-policy-record DfltAccessPolicy
username <localuser> password <localuserpass> encrypted privilege 15
tunnel-group <domain> type remote-access
tunnel-group <domain> general-attributes
 address-pool <pool>
 authentication-server-group <RADIUSserver> LOCAL
 secondary-authentication-server-group <2factor> LOCAL use-primary-username
 default-group-policy GroupPolicy_<domain>
tunnel-group <domain> webvpn-attributes
 customization <officename>
 group-alias <domain> enable
tunnel-group <companystaticIP2> type ipsec-l2l
tunnel-group <companystaticIP2> general-attributes
 default-group-policy GroupPolicy_<companystaticIP2>
tunnel-group <companystaticIP2> ipsec-attributes
 ikev1 pre-shared-key <psk>
 ikev2 remote-authentication pre-shared-key <psk>
 ikev2 local-authentication pre-shared-key <psk>
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
!
service-policy global_policy global
prompt hostname context 
no call-home reporting anonymous
Cryptochecksum:6464a43c0b9d75f4c8dfdee46ec55b2d
: end
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Paul Chapman
Level 4
Level 4

‎05-13-2016 05:56 PM

Hi Robert -

I've written about this problem previously HERE.

By default the ASA does not permit traffic to enter and leave the same interface, so you must first override this behavior.  Once this is done, you need to rework your NATs as follows:

! Allow traffic to enter and leave same interface
same-security-traffic permit intra-interface
!
! Delete problem NAT and object
no object network obj_any
!
! Create new Inside -> Outside NAT
nat (inside,outside) after-auto dynamic any interface
!
! Create NAT for hairpinned traffic
nat (outside,outside) after-auto dynamic NETWORK_OBJ_192.168.2.192_26 interface

Almost forgot... You have to change your split tunnel policy also.

group-policy GroupPolicy_<domain> attributes
 no split-tunnel-network-list value <split>
 split-tunnel-policy tunnelall

PSC

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Paul Chapman
Level 4
Level 4

‎05-13-2016 05:56 PM

Hi Robert -

I've written about this problem previously HERE.

By default the ASA does not permit traffic to enter and leave the same interface, so you must first override this behavior.  Once this is done, you need to rework your NATs as follows:

! Allow traffic to enter and leave same interface
same-security-traffic permit intra-interface
!
! Delete problem NAT and object
no object network obj_any
!
! Create new Inside -> Outside NAT
nat (inside,outside) after-auto dynamic any interface
!
! Create NAT for hairpinned traffic
nat (outside,outside) after-auto dynamic NETWORK_OBJ_192.168.2.192_26 interface

Almost forgot... You have to change your split tunnel policy also.

group-policy GroupPolicy_<domain> attributes
 no split-tunnel-network-list value <split>
 split-tunnel-policy tunnelall

PSC

0 Helpful

Go to solution
nullwolf78
Level 1
Level 1
In response to Paul Chapman

‎05-13-2016 06:37 PM

Thank you so much Paul, that worked perfectly.

I must have not searched the right set of words to get your prior post about it.

Thank you again so much.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card