How do I hairpin on an ASA 9.5.2 with dynamic client?

tedmittelstaedt · ‎08-30-2016

Hi All,

First BEFORE any of you toss the hairpin examples at me - I've read all of them and they didn't help. They mainly concern hairpins between static gateway2gateway VPN's coming into an ASA. Here is my setup:

Main ASA #1 that is setup to allow dynamic VPN clients (running the Cisco VPN client - NOT anyconnect, NOT quick VPN NOT ppp none of that - the plain old Cisco xauth VPN client we all know). Main ASA #1 also has a static LAN2LAN VPN to ASA #2 It has an inside subnet of 192.168.200.0 that is connected to a router with a bunch more 192.168.x subnets behind it and a static public IP address It has 2 vpn pools and 2 separate VPN entries. One VPN entry uses split tunneling the other does not.

ASA1 hands out 192.168.221.0 as it's dynamic VPN subnet

ASA2 uses 192.168.215.0/24 as it's inside subnet

The Dynamic clients use split tunneling.

I want to hairpin VPN traffic from the dynamic clients coming in on the split tunnel VPN to the other VPN that's static. When I set everything up I can see (in the logs) packets from a remote VPN client at 192.168.221.1 coming into ASA #1 being hairpinned out to ASA#2, then the machine behind that responds and it's responses get sent back through the LAN2LAN VPN to ASA #1. But, the responses never make it back to the remote VPN client. Instead, I get:

%ASA-6-302020: Built inbound ICMP connection for faddr 192.168.215.43/0 gaddr 192.168.221.1/5 laddr 192.168.221.1/5(LOCAL\assupm)

%ASA-6-110003: Routing failed to locate next hop for ICMP from outside:192.168.215.43/0 to inside:192.168.221.1/5

Here is the simplified config for ASA #1:

ASA #1

!
ASA Version 9.5(2)2
!
ip local pool ipsecclientpool 192.168.221.1-192.168.221.254
!
interface GigabitEthernet1/1
nameif outside
security-level 0
ip address 7.19.87.62 255.255.255.248
!
interface GigabitEthernet1/2
nameif inside
security-level 100
ip address 192.168.200.1 255.255.255.0
!
!

object network OBJ-192.168.221.0-24
subnet 192.168.221.0 255.255.255.0
object network OBJ-192.168.200.0-24
subnet 192.168.200.0 255.255.255.0
object network OBJ-192.168.4.0-24
subnet 192.168.4.0 255.255.255.0
object network OBJ-192.168.5.0-24
subnet 192.168.5.0 255.255.255.0
object network OBJ-192.168.6.0-24
subnet 192.168.6.0 255.255.255.0

object network NETWORK_OBJ_192.168.215.0_24
subnet 192.168.215.0 255.255.255.0

same-security-traffic permit intra-interface

object network obj_any
subnet 0.0.0.0 0.0.0.0

object-group network DM_INLINE_NETWORK_2
network-object object OBJ-192.168.4.0-24
network-object object OBJ-192.168.5.0-24
network-object object OBJ-192.168.6.0-24
network-object object OBJ-192.168.200.0-24
network-object object OBJ-192.168.221.0-24

!

access-list splitTunnelAcl standard permit 192.168.4.0 255.255.255.0
access-list splitTunnelAcl standard permit 192.168.5.0 255.255.255.0
access-list splitTunnelAcl standard permit 192.168.6.0 255.255.255.0
access-list splitTunnelAcl standard permit 192.168.200.0 255.255.255.0
access-list splitTunnelAcl standard permit 192.168.215.0 255.255.255.0

!

access-list outside_access_in extended permit icmp any any log disable
access-list outside_access_in extended permit ip 192.168.221.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list outside_access_in extended permit ip 192.168.221.0 255.255.255.0 192.168.5.0 255.255.255.0
access-list outside_access_in extended permit ip 192.168.221.0 255.255.255.0 192.168.6.0 255.255.255.0
access-list outside_access_in extended permit ip 192.168.221.0 255.255.255.0 192.168.200.0 255.255.255.0
access-list outside_access_in extended permit ip 192.168.221.0 255.255.255.0 192.168.215.0 255.255.255.0
access-list outside_access_in extended permit ip 192.168.215.0 255.255.255.0 192.168.221.0 255.255.255.0

access-list outside_cryptomap extended permit ip object-group DM_INLINE_NETWORK_2 192.168.215.0 255.255.255.0

access-list inside_access_in extended permit ip any any

pager lines 34
logging enable
logging buffered debugging

nat (inside,any) source static OBJ-192.168.200.0-24 OBJ-192.168.200.0-24 destination static OBJ-192.168.221.0-24 OBJ-192.168.221.0-24 no-proxy-arp description NONAT
nat (inside,any) source static OBJ-192.168.6.0-24 OBJ-192.168.6.0-24 destination static OBJ-192.168.221.0-24 OBJ-192.168.221.0-24 no-proxy-arp description NONAT
nat (inside,any) source static OBJ-192.168.5.0-24 OBJ-192.168.5.0-24 destination static OBJ-192.168.221.0-24 OBJ-192.168.221.0-24 no-proxy-arp description NONAT
nat (inside,any) source static OBJ-192.168.4.0-24 OBJ-192.168.4.0-24 destination static OBJ-192.168.221.0-24 OBJ-192.168.221.0-24 no-proxy-arp description NONAT

nat (inside,any) source static DM_INLINE_NETWORK_2 DM_INLINE_NETWORK_2 destination static NETWORK_OBJ_192.168.215.0_24 NETWORK_OBJ_192.168.215.0_24 no-proxy-arp description NONAT
nat (outside,outside) source static NETWORK_OBJ_192.168.215.0_24 NETWORK_OBJ_192.168.215.0_24 destination static OBJ-192.168.221.0-24 OBJ-192.168.221.0-24 no-proxy-arp description NONAT

object network obj_any
nat (inside,outside) dynamic interface

access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 7.19.87.61 1

route inside 192.168.4.0 255.255.255.0 192.168.200.2 1
route inside 192.168.5.0 255.255.255.0 192.168.200.2 1
route inside 192.168.6.0 255.255.255.0 192.168.200.2 1

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5

crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-
SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set peer 8.8.8.8
crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpool policy
crypto isakmp nat-traversal 3600
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400

group-policy america internal
group-policy america attributes
wins-server value 192.168.4.22
dns-server value 192.168.4.22 192.168.4.23
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value splitTunnelAcl

username assupm password xxxxxxxxxxxxxx encrypted privilege 15
username assupm attributes
vpn-group-policy america
service-type remote-access

tunnel-group america type remote-access
tunnel-group america general-attributes
address-pool ipsecclientpool
authorization-server-group LOCAL
default-group-policy america
tunnel-group america ipsec-attributes
ikev1 pre-shared-key EatMyShorts

tedmittelstaedt · ‎08-30-2016

I read this:

https://supportforums.cisco.com/discussion/11175761/asa-6-110003-routing-failed-locate-next-hop-tcp-outside2606-inside22

Does not contain an answer. Does not explain how to exempt from natting data flow from and to dynamic vpn clients.