Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
762
Views
0
Helpful
2
Replies

ASA5506 9.6 Hairpin NAT help

Go to solution
Cybervex3
Level 1
Level 1

‎12-09-2016 07:06 AM

Hey all

I am having issues allowing AnyConnect users to access to remote resources via site-to-site tunnels.  I have 3 locations. A,B,C. A(9.6) has a tunnel to both B(8.2) and C(8.2). Clients AnyConnect to A and access resources there but are not able to access anything on B or C. I am sure I have the nat statements messed up.

Here is the A config

: Saved

:

: Hardware:   ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
:
ASA Version 9.6(1)
!
hostname ciscoasa
enable password fCUCGJvREJe.MlC/ encrypted
names

ip local pool SSL_VPN_POOL 10.102.0.1-10.102.0.51 mask 255.255.0.0

!
interface GigabitEthernet1/1
 nameif outside
 security-level 0
 ip address 192.168.20.138 255.255.255.0
!
interface GigabitEthernet1/2
 nameif inside
 security-level 100
 ip address 10.101.0.1 255.255.0.0
!
interface GigabitEthernet1/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/5
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/6
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/7
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/8
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management1/1
 management-only
 no nameif
 no security-level
 no ip address
!
ftp mode passive
same-security-traffic permit intra-interface
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network SSL_VPN_CLIENTS
 subnet 10.102.0.0 255.255.0.0
object network NETWORK_OBJ_10.102.0.0_26
 subnet 10.102.0.0 255.255.255.192
object-group network WK_LAN
 description All_PME_LANS
 network-object 10.10.0.0 255.255.0.0
 network-object 10.13.0.0 255.255.0.0
 network-object 10.15.0.0 255.255.0.0
 network-object 10.16.0.0 255.255.0.0
 network-object 10.9.0.0 255.255.0.0
object-group network LA_LANS
 description ALL_LA_LANS
 network-object 10.101.0.0 255.255.0.0
object-group network HV_LANS
 description ALL_HV_LANS
 network-object 10.20.0.0 255.255.0.0
 network-object 10.21.0.0 255.255.0.0
 network-object 10.22.0.0 255.255.0.0
object-group network PME_LANS
 group-object HV_LANS
 group-object WK_LAN
access-list LA_CRYPTO extended permit ip object-group LA_LANS object-group WK_LAN
access-list outside_access_in extended permit ip 10.101.0.0 255.255.0.0 object-group WK_LAN
access-list outside_access_in extended permit ip 10.101.0.0 255.255.0.0 object-group HV_LANS
access-list Split-Tunnel standard permit 10.101.0.0 255.255.0.0
access-list Split-Tunnel standard permit 10.10.0.0 255.255.0.0
access-list Split-Tunnel standard permit 10.16.0.0 255.255.0.0
access-list Split-Tunnel standard permit 10.20.0.0 255.255.0.0
access-list Split-Tunnel standard permit 10.21.0.0 255.255.0.0
access-list Split-Tunnel standard permit 10.22.0.0 255.255.0.0
access-list Split-Tunnel standard permit 10.13.0.0 255.255.0.0
access-list Split-Tunnel standard permit 10.102.0.0 255.255.0.0
access-list HV_CRYPTO extended permit ip object-group LA_LANS object-group HV_LANS
pager lines 24
logging enable
logging asdm informational
no logging message 106023
mtu outside 1500
mtu inside 1500
mtu inside_vpn 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static any any destination static NETWORK_OBJ_10.102.0.0_26 NETWORK_OBJ_10.102.0.0_26 no-proxy-arp route-lookup
nat (outside,outside) source static SSL_VPN_CLIENTS SSL_VPN_CLIENTS destination static HV_LANS HV_LANS
nat (outside,outside) source static SSL_VPN_CLIENTS SSL_VPN_CLIENTS destination static WK_LAN WK_LAN
nat (inside,outside) source static SSL_VPN_CLIENTS SSL_VPN_CLIENTS destination static WK_LAN WK_LAN
nat (inside,outside) source static LA_LANS LA_LANS destination static PME_LANS PME_LANS
!
object network obj_any
 nat (any,outside) dynamic interface
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.20.2 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
aaa-server PME_RADIUS protocol radius
 dynamic-authorization
aaa-server PME_RADIUS (inside) host 10.101.0.4
 key *****
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 10.101.0.0 255.255.0.0 inside
http 10.102.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec ikev1 transform-set PM1 esp-3des esp-md5-hmac
crypto ipsec security-association pmtu-aging infinite
crypto map outside_map 10 match address HV_CRYPTO
crypto map outside_map 10 set peer SiteA_IP
crypto map outside_map 10 set ikev1 transform-set PM1
crypto map outside_map 20 match address LA_CRYPTO
crypto map outside_map 20 set peer SiteB_IP
crypto map outside_map 20 set ikev1 transform-set PM1
crypto map outside_map interface outside
crypto ca trustpoint SSL-Trustpoint
 enrollment terminal
 fqdn lavpn.company.com
 subject-name CN=lavpn.company.com,O=Company Inc,C=US,St=State,L=City
 keypair SSL_VPN_KEY_PAIR
 crl configure
crypto ca trustpoint ASDM_Launcher_Access_TrustPoint_0
 enrollment self
 fqdn none
 subject-name CN=10.101.0.1,CN=ciscoasa
 keypair ASDM_LAUNCHER
 crl configure
crypto ca trustpool policy
crypto ca certificate chain SSL-Trustpoint
 certificate 008fe471b053000411
   
  quit
crypto ca certificate chain ASDM_Launcher_Access_TrustPoint_0
 certificate e8d84658
   
  quit
crypto isakmp nat-traversal 3600
no crypto ikev2 fragmentation
crypto ikev1 enable outside
crypto ikev1 policy 1
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400

telnet 10.101.0.0 255.255.0.0 inside
telnet timeout 120
ssh stricthostkeycheck

ssh 10.101.0.0 255.255.0.0 inside
ssh 10.10.0.0 255.255.0.0 inside
ssh timeout 60
ssh version 2
ssh key-exchange group dh-group14-sha1
console timeout 0
management-access inside

tftp-server inside 10.10.2.30 <YYYYMMDD-ASA5506-LA>
ssl trust-point SSL-Trustpoint outside
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 inside
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 inside vpnlb-ip
webvpn
 enable outside
 anyconnect image disk0:/anyconnect-win-3.1.01065-k9.pkg 1
 anyconnect image disk0:/anyconnect-win-4.3.04027-k9.pkg 2
 anyconnect image disk0:/anyconnect-macosx-i386-3.1.14018-k9.pkg 3
 anyconnect profiles PME_SSL_Profile disk0:/AnyConnectProfile20161207.xml
 anyconnect enable
 tunnel-group-list enable
 cache
  disable
 error-recovery disable
group-policy GroupPolicy_LA_SSL internal
group-policy GroupPolicy_LA_SSL attributes
 wins-server none
 dns-server value 10.101.0.4
 vpn-tunnel-protocol ssl-client
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Split-Tunnel
 default-domain value pme.local
dynamic-access-policy-record DfltAccessPolicy

tunnel-group SiteB_IP type ipsec-l2l
tunnel-group SiteB_IP ipsec-attributes
 ikev1 pre-shared-key *****
tunnel-group LA_SSL type remote-access
tunnel-group LA_SSL general-attributes
 address-pool SSL_VPN_POOL
 authentication-server-group PME_RADIUS
 default-group-policy GroupPolicy_LA_SSL
tunnel-group LA_SSL webvpn-attributes
 group-alias LA_SSL enable
tunnel-group SiteA_IP type ipsec-l2l
tunnel-group SiteA_IP ipsec-attributes
 ikev1 pre-shared-key *****
!
class-map inspection_default
 match default-inspection-traffic
!
!             
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous

: end
ciscoasa(config)#

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
JP Miranda Z
Cisco Employee
Cisco Employee

‎12-09-2016 10:10 AM

Hi Cybervex3,

Considering your AnyConnect clients are getting an ip from the pool 10.102.x.x, that range of ips needs to be allowed on the interesting traffic of the tunnels and is not:

access-list HV_CRYPTO extended permit ip object-group LA_LANS object-group HV_LANS

access-list LA_CRYPTO extended permit ip object-group LA_LANS object-group WK_LAN

object-group network LA_LANS
 description ALL_LA_LANS
 network-object 10.101.0.0 255.255.0.0

So you need to add the following group to the interesting traffic:

object network SSL_VPN_CLIENTS
 subnet 10.102.0.0 255.255.0.0

Example:

access-list HV_CRYPTO extended permit ip object SSL_VPN_CLIENTS object-group HV_LANS

access-list LA_CRYPTO extended permit ip object SSL_VPN_CLIENTS object-group WK_LAN

So clients from SSL_VPN_CLIENTS are going to be able to access WK_LAN and HV_LANS through the VPN tunnel, keep in mind this change needs to be done on both sites of the tunnel since the interesting traffic needs to be mirrored.

The u turn nat and the same security intra are already configured so adding that extra line on the interesting traffic should do the trick.

Hope this info helps!!

Rate if helps you!! 

-JP-

View solution in original post

0 Helpful
2 Replies 2

Go to solution
JP Miranda Z
Cisco Employee
Cisco Employee

‎12-09-2016 10:10 AM

Hi Cybervex3,

Considering your AnyConnect clients are getting an ip from the pool 10.102.x.x, that range of ips needs to be allowed on the interesting traffic of the tunnels and is not:

access-list HV_CRYPTO extended permit ip object-group LA_LANS object-group HV_LANS

access-list LA_CRYPTO extended permit ip object-group LA_LANS object-group WK_LAN

object-group network LA_LANS
 description ALL_LA_LANS
 network-object 10.101.0.0 255.255.0.0

So you need to add the following group to the interesting traffic:

object network SSL_VPN_CLIENTS
 subnet 10.102.0.0 255.255.0.0

Example:

access-list HV_CRYPTO extended permit ip object SSL_VPN_CLIENTS object-group HV_LANS

access-list LA_CRYPTO extended permit ip object SSL_VPN_CLIENTS object-group WK_LAN

So clients from SSL_VPN_CLIENTS are going to be able to access WK_LAN and HV_LANS through the VPN tunnel, keep in mind this change needs to be done on both sites of the tunnel since the interesting traffic needs to be mirrored.

The u turn nat and the same security intra are already configured so adding that extra line on the interesting traffic should do the trick.

Hope this info helps!!

Rate if helps you!! 

-JP-

0 Helpful

Go to solution
Cybervex3
Level 1
Level 1
In response to JP Miranda Z

‎12-11-2016 10:22 PM

You are correct. I had forgotten while going back and forth between FWs that I had changed the pool for AnyConnect and never added change. Humbling to realize such a mistake while TAC was fixing it. :)

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents