02-02-2017 02:29 AM - edited 03-12-2019 01:52 AM
Hi All,
I was hoping someone could explain this to me or set me straight. We have a Cisco ASA 5525X (running 9.2) and are in a good position where we can use real IP addresses. What I am hoping to do is a Hairpin Scenario.
People will connect to a Real IP on the outside interface, get a VPN Pool address (from a pool of REAL IP addresses) and get routed back out the same interface with the use of identity NAT.
I have got this to work using Dynamic PAT and a static route but my IP address when connecting to servers/internet showing as the outside Interface IP.
object network VPN-General
subnet 137.X.X.X 255.255.255.192
nat (any,Outside) source dynamic VPN-General interface
route Outside 0.0.0.0 0.0.0.0 <gateway of Outside Int IP> 1
I have been reading and tried alot of examples but is it possible to get a REAL VPN Pool address and when leaving the ASA via the Outside Interface, keep my pool address.
Thanks
N
02-02-2017 11:32 AM
I don't see why this wont be possible. As long as you have the identity NAT correctly configured to u-turn the traffic from outside to outside, this should be do-able. I have not seen a deployment doing this yet as not many folks have a lot of spare Public IPv4 addresses.
Another option is to do the same dynamic NAT as before, only do it to a separate Public IP (or pool of Public IP addresses) so that they show up as different addresses from the external ip address. This option saves you using all the ip addresses in a VPN pool.
02-03-2017 02:05 AM
Hi Rahul/Marius,
Thanks for taking the time to respond. I think i am either doing this wrong or missing something.
i have the same-security permit intra-interface command on the asa.
What I have is the following:
Outside Interface:
nameif Outside
IP address 193.X.X.X 255.255.255.0
object network VPN-General
137.X.X.X 255.255.255.192
ip local pool VPN-General 137.X.X.X-137.X.X.X mask 255.255.255.192 (same as above object network)
Static Route
0.0.0.0 0.0.0.0 <193.X.X.X (outside interface Gateway)>
nat (Outside,Outside) source static VPN-General VPN-General no-proxy-arp route-lookup.
So when you connect with the anyconnect client to the outside interface., you get a REAL IP address. I then want to be able to get this REAL VPN Pool address to be visable when being used for internet and internal resources. As I was saying, I have this working with dynamic PAT but would like to use Identity nat.
Is this possible? Thanks for your time
Net-ops
02-03-2017 11:05 AM
remove the no-proxy-arp command from the NAT statement and then test.
--
Please remember to select a correct answer and rate helpful posts
02-06-2017 06:07 AM
Hi Marius,
Thanks for the suggestion. No luck though i am afraid. Do you have any other recommendations that i could try.
Thanks
Net
02-06-2017 06:13 AM
Can you apply a capture on the outside interface to see if packets are going out and coming back in using the real ip address pool range? Also attach your sanitized config here is possible.
02-06-2017 08:37 AM
02-06-2017 12:20 PM
Could you identify the last octet in your VPN pool?
ip local pool VPN-General 137.X.X.X-137.X.X.X mask 255.255.255.192
--
Please remember to select a correct answer and rate helpful posts
02-07-2017 01:43 AM
Hi,
137.X.X.4 - 137.X.X.62
Thanks
02-07-2017 08:09 AM
is the 137.x.x.0/26 network routed towards the outside IP of your ASA?
--
Please remember to select a correct answer and rate helpful posts
02-07-2017 08:17 AM
Yeh,
I have a static route 0.0.0.0 0.0.0.0 <gateway of Outside interface>
I could not route directly to the IP itself, is this normal?
02-07-2017 09:47 AM
You misunderstand. your ISP needs to ensure that the 137.x.x.0/26 network is routed toward your outside interface.
--
Please remember to select a correct answer and rate helpful posts
02-08-2017 12:57 AM
Hi Marius,
As we use only REAL Ip addresses on our network, all are routable to the internet, we can use them on any location on our network. Our ASA is connected into our core on the same VLAN as our ISP connection, so any IP going out the outside interface has direct access to the internet. We have this existing configuration working on an older ASA (running asa723-k8.bin), so i am just trying to replicated this. Its the exact same thing. The older ASA is also in the same /24 VLAN and when connected you get a REAL IP, this is then hairpined back out the outside interface using these NAT commands. They are no longer available in 9.2 it seems.
nat-control
nat (outside) 0 137.X.X.X 255.255.255.0.
I have attached a diagram of the network layout (sorry, its pretty simple looking) to help try explain. I have changed the IP addresses slightly to help but they are all internet routable.
Thanks
02-08-2017 01:54 AM
I also notice in older code you can statically route all traffic or VPN Pool traffic directly to the IP address of the outside interface on the ASA. Trying to do this in 9.2 code gives an error
Invalid next hop address <ASA Outside IP Address>, it matches our IP address
02-08-2017 10:27 AM
The older ASA does it also use 137.x.x.x for VPN pool?
--
Please remember to select a correct answer and rate helpful posts
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide