Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1478
Views
0
Helpful
2
Replies

Hairpinning with two internal Networks on the "inside" interface

craig.nesty
Level 1
Level 1

‎05-03-2012 09:46 AM

Hi

I am running

Cisco Adaptive Security Appliance Software Version 8.2(1)

Device Manager Version 6.2(1)

on an ASA 5505. I would like to be able to hairpin on the internal network. The internal network comprise of two networks. The inside network of the ASA 5505 which is 10.0.0.0 /8 and 172.16.1.0/24. I am attaching a network diagram to aid with this request. The default gateway of both is the ASA 5505 10.0.0.1.

I have tried this link https://supportforums.cisco.com/thread/2061002 among others

I have also done a packet trace and it appears that the packet should go through. In fact it is sent to next module. Which I really don't know what that is or why it is sent to that module at all. What am I doing wrong?  The packet trace follows along with my configuration

ACME-ASA# packet-tracer input inside icmp 10.0.0.183 8 0 172.16.1.1

Phase: 1

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   172.16.1.0      255.255.255.0   inside

Phase: 3

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: NAT-EXEMPT

Subtype:

Result: ALLOW

Config:

  match ip inside 10.0.0.0 255.0.0.0 inside 172.16.1.0 255.255.255.0

    NAT exempt

    translate_hits = 95, untranslate_hits = 1

Additional Information:

Phase: 7

Type: NAT-EXEMPT

Subtype: rpf-check

Result: ALLOW

Config:

  match ip inside 172.16.1.0 255.255.255.0 inside 10.0.0.0 255.0.0.0

    NAT exempt

    translate_hits = 1, untranslate_hits = 95

Additional Information:

Phase: 8

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (inside) 1 0.0.0.0 0.0.0.0

  match ip inside any inside any

    dynamic translation to pool 1 (No matching global)

    translate_hits = 3, untranslate_hits = 0

Additional Information:

Phase: 9

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

nat (inside) 1 0.0.0.0 0.0.0.0

  match ip inside any inside any

    dynamic translation to pool 1 (No matching global)

    translate_hits = 3, untranslate_hits = 0

Additional Information:

Phase: 10

Type: HOST-LIMIT

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 11

Type: NAT

Subtype: rpf-check

Result: ALLOW

Config:

nat (inside) 1 0.0.0.0 0.0.0.0

  match ip inside any inside any

    dynamic translation to pool 1 (No matching global)

    translate_hits = 3, untranslate_hits = 0

Additional Information:

Phase: 12

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 140365, packet dispatched to next module

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: allow

====================================================================================

END OF TRACE

====================================================================================

ASA Version 8.2(1)

!

hostname ACME-ASA

domain-name intranet.ACME.com

enable password dBGEZ7W9OslQcaz2 encrypted

passwd dBGEZ7W9OslQcaz2 encrypted

names

name 192.168.10.0 PWC description pwc remote lan

!

interface Vlan1

nameif inside

security-level 100

ip address 10.0.0.1 255.0.0.0

!

interface Vlan2

nameif outside

security-level 0

pppoe client vpdn group ACME

ip address pppoe setroute

!

interface Vlan3

no nameif

security-level 50

no ip address

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

ftp mode passive

clock timezone AST -4

dns server-group DefaultDNS

domain-name intranet.ACME.com

same-security-traffic permit intra-interface

access-list 101 extended permit icmp any any echo-reply

access-list 101 extended permit icmp any any source-quench

access-list 101 extended permit icmp any any unreachable

access-list 101 extended permit icmp any any time-exceeded

access-list ACME_splitTunnelAcl standard permit 10.0.0.0 255.0.0.0

access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.0.0.0 10.0.1.0 255.255.255.192

access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.0.0.0 PWC 255.255.255.0

access-list inside_nat0_outbound extended permit ip any 10.0.1.0 255.255.255.192

access-list outside_1_cryptomap extended permit ip 10.0.0.0 255.0.0.0 PWC 255.255.255.0

access-list NONAT extended permit ip 172.16.1.0 255.255.255.0 10.0.0.0 255.0.0.0

access-list NONAT extended permit ip 10.0.0.0 255.0.0.0 172.16.1.0 255.255.255.0

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

ip local pool ACMEVPN 10.0.1.1-10.0.1.50 mask 255.0.0.0

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list NONAT

nat (inside) 1 0.0.0.0 0.0.0.0

access-group 101 in interface outside

route inside 172.16.1.0 255.255.255.0 10.0.0.2 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 10.0.0.0 255.0.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set pfs group1

crypto map outside_map 1 set peer 99.249.241.132

crypto map outside_map 1 set transform-set ESP-DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 5

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 10

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption des

hash md5

group 1

lifetime 86400

telnet 0.0.0.0 0.0.0.0 inside

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 inside

ssh timeout 15

console timeout 0

vpdn group ACME request dialout pppoe

vpdn group ACME localname ACME

vpdn group ACME ppp authentication pap

vpdn username ACME password ********* store-local

dhcpd dns 69.57.241.9 69.57.241.10

!

threat-detection basic-threat

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

enable outside

svc image disk0:/anyconnect-win-2.5.2014-k9.pkg 1

svc enable

group-policy DfltGrpPolicy attributes

vpn-tunnel-protocol l2tp-ipsec svc webvpn

group-policy ACME internal

group-policy ACME attributes

dns-server value 10.0.0.24 10.0.0.1

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value ACME_splitTunnelAcl

default-domain value intranet.ACME.com

group-policy ACME internal

group-policy ACME attributes

dns-server value 10.0.0.24 8.8.8.8

vpn-tunnel-protocol IPSec l2tp-ipsec

username aandre password P4P2V54vOrErCg41 encrypted privilege 0

username aandre attributes

vpn-group-policy ACME

username uwilliams password wbsffaKVr0YepCUS encrypted privilege 0

username uwilliams attributes

vpn-group-policy ACME

username cjosephs password 2sNBaOjAVrpF740r encrypted privilege 0

username cjosephs attributes

vpn-group-policy ACME

username gjames password iARKkHERv4HyEEKL encrypted privilege 0

username gjames attributes

vpn-group-policy ACME

username cnesty password zmnUQV3pD0XWZW9I encrypted privilege 15

tunnel-group ACME type ipsec-l2l

tunnel-group ACME ipsec-attributes

pre-shared-key *

tunnel-group ACME type remote-access

tunnel-group ACME general-attributes

address-pool ACMEVPN

default-group-policy ACME

tunnel-group ACME ipsec-attributes

pre-shared-key *

!

class-map ICMP-CMAP

match access-list 101

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip

  inspect xdmcp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:311e23e2214979d1f2b8eae16013faba

: end

Labels:
Preview file
22 KB
0 Helpful
2 Replies 2

Mohammad Alhyari
Cisco Employee
Cisco Employee

‎05-08-2012 03:40 PM

Mate ,

few comments :

1- the config looks fine .

2- you can use packet captures to trace the packets :

access-list capin permit ip host1 host2

access-list capin permit ip host2 host1

cap capin access-list capin interface inside

// to show the captures :

show cap capin

run the captures and see if the packets are leaving the ASA , and if you are getting a reply?

3- when the router sends the response back it will not pass through the ASA as it will see the 10 as a direclty connected network , by default the ASA randomize the ISN for TCP and also their will be an asymetric flow so you may need to :

- add a more specific route on the router to send the traffic through the ASA
- hide the 10 network behind the ASA with a dynamic pat rule on the ASA doing this the 172 network will see the 10 as coming from the ASA.

Hope that this helps .
MOhammad.

0 Helpful

craig.nesty
Level 1
Level 1
In response to Mohammad Alhyari

‎05-10-2012 08:15 AM

Mohammad,

Thanks for your response. These are great troubleshooting tips. I figured out the problem was with the internal router. It wasn't allowing traffic in one direction. It was configured as a gateway and not as a router. Once this was corrected things appear to be functioning just fine. Thanks again.

0 Helpful
Customers Also Viewed These Support Documents