How do I hairpin on an ASA 9.5.2 with dynamic client?
First BEFORE any of you toss the hairpin examples at me - I've read all of them and they didn't help. They mainly concern hairpins between static gateway2gateway VPN's coming into an ASA. Here is my setup:
Main ASA #1 that is setup to allow dynamic VPN clients (running the Cisco VPN client - NOT anyconnect, NOT quick VPN NOT ppp none of that - the plain old Cisco xauth VPN client we all know). Main ASA #1 also has a static LAN2LAN VPN to ASA #2 It has an inside subnet of 192.168.200.0 that is connected to a router with a bunch more 192.168.x subnets behind it and a static public IP address It has 2 vpn pools and 2 separate VPN entries. One VPN entry uses split tunneling the other does not.
ASA1 hands out 192.168.221.0 as it's dynamic VPN subnet
ASA2 uses 192.168.215.0/24 as it's inside subnet
The Dynamic clients use split tunneling.
I want to hairpin VPN traffic from the dynamic clients coming in on the split tunnel VPN to the other VPN that's static. When I set everything up I can see (in the logs) packets from a remote VPN client at 192.168.221.1 coming into ASA #1 being hairpinned out to ASA#2, then the machine behind that responds and it's responses get sent back through the LAN2LAN VPN to ASA #1. But, the responses never make it back to the remote VPN client. Instead, I get:
%ASA-6-302020: Built inbound ICMP connection for faddr 192.168.215.43/0 gaddr 192.168.221.1/5 laddr 192.168.221.1/5(LOCAL\assupm)
%ASA-6-110003: Routing failed to locate next hop for ICMP from outside:192.168.215.43/0 to inside:192.168.221.1/5
Here is the simplified config for ASA #1:
! ASA Version 9.5(2)2 ! ip local pool ipsecclientpool 192.168.221.1-192.168.221.254 ! interface GigabitEthernet1/1 nameif outside security-level 0 ip address 184.108.40.206 255.255.255.248 ! interface GigabitEthernet1/2 nameif inside security-level 100 ip address 192.168.200.1 255.255.255.0 ! !
group-policy america internal group-policy america attributes wins-server value 192.168.4.22 dns-server value 192.168.4.22 192.168.4.23 vpn-tunnel-protocol ikev1 split-tunnel-policy tunnelspecified split-tunnel-network-list value splitTunnelAcl
tunnel-group america type remote-access tunnel-group america general-attributes address-pool ipsecclientpool authorization-server-group LOCAL default-group-policy america tunnel-group america ipsec-attributes ikev1 pre-shared-key EatMyShorts
Are you responsible for risk management, compliance management and auditing of a network?
If so, we’d like to speak with you to learn your current processes of enforcing compliance and managing risk to help us develop services that will ...
Once you've expanded Cisco Secure Endpoint connector deployment to about 50% of your licensed count (check out this article that shows you how to do that), it's time to put those connectors to action i.e. convert them to Protect from Audit mode for vari...
Hello! I’m Betsy, UX Researcher, on the Cisco+ Secure Connect Now team. Nice to meet you all .We have a short survey to learn about your Zero Trust Network Access (ZTNA) journey. Whether you have, plan to, or have not implemented a ...
A set of interface access rules can cause the Cisco Adaptive Security Appliance to permit or deny a designated host to access another particular host with a specific network application (service). When there is only one client, one host and one se...
How To: Cisco ISE Captive Portals with Aruba Wireless
Authors: Adam Hollifield, Brad Johnson
IntroductionPrerequisitesMinimum RequirementsComponents UsedConfigurationAruba Wireless ControllerWLAN CreationAuthentication ConfigurationRole & Policy Confi...