cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
908
Views
0
Helpful
5
Replies

hairpining on asa5505 with any condition

patrifick
Level 1
Level 1

Hi,

I wonder whether anybody would be able to help. I need to setup a hairpining on our asa5505, with this conditions.

- I have 4 networks in NATon the firewall inside, dmz, wifi, chit

- the hairpining works well on "inside" network as we need

- I need to setup hairpining on "chit" and "wifi", however I need to have it done for any traffic

The hairpinig works without issue on inside network as we specify which traffic needs to return and I would be able to create it on the other networks, however on chit and wifi I cannot specify it the traffic to return as we need to enable it to all of the traffic.

thanks
Patrick

Result of the command: "show running-config"

: Saved
:
ASA Version 8.2(2)
!
hostname ch-asa
domain-name chathamhouse.org.uk
names
name 10.1.4.4 ctxsvr01
name 10.1.4.5 itsvr
name 10.1.4.10 unicornsvr
name 10.1.4.12 blbsvr
name 10.1.4.13 exchsvr
name 10.1.5.4 barracuda
name 10.1.5.15 video-conferencing-unit
name 192.168.1.5 ctxdmz
name 62.253.196.178 outside
name 62.253.196.179 remote-outside-179
name 62.253.196.180 webmail-outside-180
name 62.253.196.181 connect-outside-181
name 62.253.196.182 unicorn-outside-182
name 62.253.196.184 sirsi-outside-184
name 62.253.196.185 blb-outside-185
name 62.253.196.188 streaming-outside-188
name 62.253.196.189 video-conferencing-outside-189
name 82.111.186.146 sdt-rdc
name 150.147.68.20 sirsi-1
name 193.110.143.20 sirsi-2
name 10.1.5.16 streaming-unit
name 192.168.1.1 dmz
name 62.253.196.187 Logmein-outside-187
name 10.3.3.10 VPN0
name 10.3.3.11 VPN1
name 10.3.3.12 VPN2
name 10.3.3.13 VPN3
name 10.3.3.14 VPN4
name 10.3.3.15 VPN5
name 10.1.4.2 docsvr
name 62.253.196.186 keats-outside-186
name 192.206.158.10 sirsi-3
name 10.1.5.2 webfilter
name 90.208.247.40 keats-rdp1
name 93.97.184.223 keats-rdp2
name 62.253.196.190 portal-outside-190
name 84.252.211.25 keats-rdp3
name 10.100.0.0 CH-DR
name 10.1.5.100 nas
name 93.89.134.153 keats-rdp4
!
interface Vlan1
nameif inside
security-level 100
ip address 10.1.5.1 255.255.0.0
ospf cost 10
!
interface Vlan3
nameif dmz
security-level 50
ip address dmz 255.255.255.0
ospf cost 10
!
interface Vlan5
nameif wifi
security-level 49
ip address 172.16.1.1 255.255.255.0
!
interface Vlan6
nameif chit
security-level 48
ip address 192.168.10.1 255.255.255.0
!
interface Vlan12
nameif outside
security-level 0
ip address outside 255.255.255.240
ospf cost 10
!
interface Ethernet0/0
switchport access vlan 12
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
switchport access vlan 6
!
interface Ethernet0/4
switchport access vlan 5
!
interface Ethernet0/5
switchport access vlan 3
!
interface Ethernet0/6
!
interface Ethernet0/7
switchport access vlan 3
!
ftp mode passive
clock timezone GMT 0
dns domain-lookup inside
dns domain-lookup dmz
dns domain-lookup outside
dns server-group DefaultDNS
domain-name chathamhouse.org.uk
same-security-traffic permit intra-interface
object-group network sirsi-support
network-object host sirsi-1
network-object host sirsi-2
network-object host sirsi-3
object-group service backup-exec tcp
port-object eq 10000
port-object eq 3106
port-object eq 3527
port-object eq 6101
port-object eq 6103
port-object eq 6106
object-group service barracuda-8000 tcp
port-object eq 8000
object-group service blackberry-3101 tcp
port-object eq 3101
object-group service citrix-session-reliability-2598 tcp
port-object eq 2598
object-group service rdc-3389 tcp
port-object eq 3389
object-group service sql-1433 tcp
port-object eq 1433
object-group service streaming-1935 tcp
port-object eq 1935
object-group service video-streaming-tcp-udp tcp
port-object eq 3230
port-object eq 3231
port-object eq 3232
port-object eq 3233
port-object eq 3234
port-object eq 3235
object-group service rdp tcp
port-object eq 3389
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group network DM_INLINE_NETWORK_1
network-object host remote-outside-179
network-object host webmail-outside-180
network-object host portal-outside-190
object-group service DM_INLINE_TCP_1 tcp
port-object eq h323
group-object video-streaming-tcp-udp
group-object streaming-1935
object-group service Reuters udp
port-object eq 10202
port-object eq 10302
port-object eq 9876
object-group network VPN-IP
network-object host VPN0
network-object host VPN1
network-object host VPN2
network-object host VPN3
network-object host VPN4
network-object host VPN5
object-group service vpn tcp-udp
port-object eq 1723
object-group network Keats_IP
network-object host keats-rdp1
network-object host keats-rdp2
network-object host keats-rdp3
network-object host keats-rdp4
object-group network DM_INLINE_NETWORK_3
network-object host exchsvr
network-object host barracuda
object-group service doscvr-31843
service-object tcp eq 31843
object-group network DM_INLINE_NETWORK_4
network-object host unicorn-outside-182
network-object host portal-outside-190
object-group service NAS-22222 tcp-udp
port-object eq 22222
object-group network DM_INLINE_NETWORK_2
network-object host keats-outside-186
network-object host sdt-rdc
object-group service backup-exec-list tcp-udp
port-object eq 49152
port-object eq 49153
port-object eq 49154
port-object eq 49155
port-object eq 49156
port-object eq 49157
port-object eq 49158
port-object eq 49159
port-object eq 49160
port-object eq 49161
port-object eq 49162
object-group service DM_INLINE_TCP_2 tcp
group-object backup-exec
group-object backup-exec-list
object-group service DM_INLINE_TCP_3 tcp
group-object backup-exec
group-object backup-exec-list
object-group service DM_INLINE_TCP_4 tcp
group-object backup-exec
group-object backup-exec-list
access-list outside_access_in extended permit tcp object-group DM_INLINE_NETWORK_2 any object-group rdc-3389
access-list outside_access_in extended permit tcp any host blbsvr object-group blackberry-3101
access-list outside_access_in extended permit tcp any object-group DM_INLINE_NETWORK_1 eq https
access-list outside_access_in extended permit tcp any any eq ssh
access-list outside_access_in extended permit tcp any host ctxdmz eq ftp
access-list outside_access_in extended permit tcp any object-group DM_INLINE_NETWORK_4 eq www
access-list outside_access_in extended permit tcp any host outside eq smtp
access-list outside_access_in extended permit tcp any host video-conferencing-outside-189 object-group DM_INLINE_TCP_1
access-list outside_access_in extended permit tcp any any object-group DM_INLINE_TCP_2
access-list outside_access_in extended permit udp any any object-group Reuters
access-list outside_access_in extended permit tcp any host streaming-unit eq nntp
access-list outside_access_in extended permit tcp object-group sirsi-support any object-group rdc-3389
access-list outside_access_in extended permit tcp any host docsvr eq 31843
access-list outside_access_in extended permit object-group TCPUDP any any object-group NAS-22222 inactive
access-list outside_access_in extended permit tcp any any eq imap4
access-list dmz_access_in extended permit tcp host ctxdmz 10.1.0.0 255.255.0.0 object-group rdp
access-list dmz_access_in extended permit tcp host ctxdmz 10.1.0.0 255.255.0.0 eq www
access-list dmz_access_in extended permit tcp host ctxdmz 10.1.0.0 255.255.0.0 eq citrix-ica
access-list dmz_access_in extended permit tcp host ctxdmz 10.1.0.0 255.255.0.0 object-group citrix-session-reliability-2598
access-list dmz_access_in extended permit object-group TCPUDP host ctxdmz 10.1.0.0 255.255.0.0 eq domain
access-list dmz_access_in extended permit tcp host ctxdmz 10.1.0.0 255.255.0.0 object-group DM_INLINE_TCP_4
access-list inside_access_in extended permit tcp object-group DM_INLINE_NETWORK_3 any eq smtp
access-list inside_access_in extended permit tcp any any eq smtp
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit ip 10.1.0.0 255.255.0.0 host ctxdmz
access-list inside_access_in extended permit tcp 10.1.0.0 255.255.0.0 host ctxdmz object-group DM_INLINE_TCP_3
access-list inside_nat0_outbound extended permit ip 10.1.0.0 255.255.0.0 object-group VPN-IP
access-list inside_nat0_outbound extended permit ip 10.1.0.0 255.255.0.0 CH-DR 255.255.0.0
access-list split-acl standard permit 10.1.0.0 255.255.0.0
access-list wifi_access_in extended permit ip any any
access-list chit_access_in extended permit ip any any
access-list outside_cryptomap extended permit ip 10.1.0.0 255.255.0.0 172.16.250.0 255.255.255.0
access-list outside_cryptomap_1 extended permit ip 10.1.0.0 255.255.0.0 CH-DR 255.255.0.0
access-list outside_cryptomap_2 extended permit ip 10.1.0.0 255.255.0.0 CH-DR 255.255.0.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu dmz 1500
mtu outside 1500
mtu wifi 1500
mtu chit 1500
ip local pool CH-VPN-IP VPN0-10.3.3.20 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any dmz
no asdm history enable
arp timeout 14400
global (inside) 1 interface
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 1 0.0.0.0 0.0.0.0
nat (wifi) 1 172.16.1.0 255.255.255.0 dns
nat (wifi) 1 0.0.0.0 0.0.0.0 dns
nat (chit) 1 192.168.10.0 255.255.255.0
nat (chit) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp connect-outside-181 3389 itsvr 3389 netmask 255.255.255.255
static (inside,outside) tcp interface smtp barracuda smtp netmask 255.255.255.255
static (dmz,outside) tcp remote-outside-179 https ctxdmz https netmask 255.255.255.255  dns
static (inside,outside) tcp interface ssh webfilter ssh netmask 255.255.255.255
static (inside,outside) tcp blb-outside-185 3101 blbsvr 3101 netmask 255.255.255.255
static (inside,outside) tcp unicorn-outside-182 www unicornsvr www netmask 255.255.255.255  dns
static (inside,outside) tcp streaming-outside-188 1935 streaming-unit 1935 netmask 255.255.255.255
static (inside,outside) tcp Logmein-outside-187 nntp streaming-unit nntp netmask 255.255.255.255
static (inside,outside) tcp sirsi-outside-184 3389 unicornsvr 3389 netmask 255.255.255.255
static (inside,outside) tcp video-conferencing-outside-189 h323 video-conferencing-unit h323 netmask 255.255.255.255
static (inside,outside) tcp webmail-outside-180 https exchsvr https netmask 255.255.255.255  dns
static (inside,outside) tcp keats-outside-186 3389 docsvr 3389 netmask 255.255.255.255
static (inside,outside) tcp portal-outside-190 www docsvr www netmask 255.255.255.255  dns
static (inside,outside) tcp portal-outside-190 https docsvr https netmask 255.255.255.255  dns
static (inside,outside) tcp connect-outside-181 22222 nas 22222 netmask 255.255.255.255
static (dmz,inside) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
static (dmz,inside) remote-outside-179 ctxdmz netmask 255.255.255.255
static (inside,dmz) 10.1.0.0 10.1.0.0 netmask 255.255.0.0
static (inside,outside) video-conferencing-outside-189 video-conferencing-unit netmask 255.255.255.255
static (inside,inside) webmail-outside-180 exchsvr netmask 255.255.255.255
static (inside,inside) unicorn-outside-182 unicornsvr netmask 255.255.255.255
static (inside,inside) portal-outside-190 docsvr netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group dmz_access_in in interface dmz
access-group outside_access_in in interface outside
access-group wifi_access_in in interface wifi
access-group chit_access_in in interface chit
route outside 0.0.0.0 0.0.0.0 62.253.196.177 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.1.0.0 255.255.0.0 inside
http sdt-rdc 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 2 match address outside_cryptomap_2
crypto map outside_map 2 set pfs
crypto map outside_map 2 set peer 109.104.105.38
crypto map outside_map 2 set transform-set ESP-3DES-SHA
crypto map outside_map 2 set phase1-mode aggressive
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime none
telnet 10.1.0.0 255.255.0.0 inside
telnet timeout 5
ssh 10.1.0.0 255.255.0.0 inside
ssh timeout 5
console timeout 0
management-access inside
dhcpd address 192.168.10.200-192.168.10.225 chit
dhcpd dns 194.168.4.100 194.168.8.100 interface chit
dhcpd lease 86400 interface chit
dhcpd enable chit
!

threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
enable outside
svc image disk0:/anyconnect-dart-win-2.5.0217-k9.pkg 1
svc enable
group-policy DfltGrpPolicy attributes
group-policy CH-VPN internal
group-policy CH-VPN attributes
vpn-tunnel-protocol IPSec svc
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split-acl
group-policy CH-VPN-IP internal
group-policy CH-VPN-IP attributes
dns-server value 10.1.4.9 10.1.4.5
vpn-tunnel-protocol IPSec svc
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split-acl
default-domain value riia.local
username sdt.support password cdUOkKYGfsyZgwTx encrypted privilege 0
username sdt.support attributes
vpn-group-policy CH-VPN
username leet password 1fJc82CICO2zAFcfTW47KQ== nt-encrypted privilege 0
username leet attributes
vpn-group-policy CH-VPN
tunnel-group CH-VPN type remote-access
tunnel-group CH-VPN general-attributes
address-pool CH-VPN-IP
authentication-server-group (inside) LOCAL
authorization-server-group LOCAL
authorization-server-group (inside) LOCAL
default-group-policy CH-VPN
tunnel-group CH-VPN-IP type remote-access
tunnel-group CH-VPN-IP general-attributes
address-pool CH-VPN-IP
default-group-policy CH-VPN-IP
tunnel-group CH-VPN-IP ipsec-attributes
pre-shared-key *****
radius-sdi-xauth
tunnel-group 109.104.105.38 type ipsec-l2l
tunnel-group 109.104.105.38 ipsec-attributes
pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny 
  inspect sunrpc
  inspect xdmcp
  inspect sip 
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect icmp
!
service-policy global_policy global
smtp-server 10.1.4.13
prompt hostname context

: end

5 Replies 5

varrao
Level 10
Level 10

Hi Patric,

Yes, we can set it up for it, lets take an example, you have a 192.168.10.0 network behind the chit interface, so you would need the following configuration:

nat (chit) 10 0.0.0.0 0.0.0.0

global (chit) 10 interface

static (chit,chit) 192.168.10.0 192.168.10.0

this should suffic.

Try it and let me know if you get stuck anywhere.

Thanks,

Varun

Thanks,
Varun Rao

Hi,

by enabling the commands the DHCP on the interface stop working correclty it seems like that it doesn't want to give any IP addresses. Could it be related to the setup?

Patrick

Patrick,

I'd suggest not to use "hairpinning" if possible.  It gets very hard to troubleshoot problem when things break. It appears already dhcp is broken.

Have the router or a layer 3 switch on the inside do the routing. If the inside network needs to talk among themselves that traffic should never be seen by the ASA. This applies for all interfaces and not just the inside.

-KS

Hi,

I am aware of the risk, but at the moment I need to have the hairpining done on the asa

Would you be able to advise?

regards
Patrick

Patrick,

As I mentioned earlier, troubleshooting this might get very hard.  May not be possible via our forum.  I'd suggest opening a TAC case.  We need to look at

1. syslogs (at debug level)

2. debugs (for dhcp breaking)

3. captures (for packets arriving and U-turning off the interface)

4. sh xlate debug output for the hosts in question.

static (inside,dmz) 10.1.0.0 10.1.0.0 netmask 255.255.0.0 - says the 10.1.0.0/16 network lives on the inside

nat (chit) 10 0.0.0.0 0.0.0.0 - says the 10.1.0.0/16 network lives on chit.

Remove the lines that you added and get dhcp to work again as before and then let us get a TAC case opened.

-KS

Review Cisco Networking for a $25 gift card