Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1743
Views
0
Helpful
1
Replies

[answered]ASA 8.4 Hairpinning problem

babanonyme
Level 1
Level 1

‎05-03-2011 09:54 AM

Hi all, I have a problem with my hairpinning setup on ASA 8.4.1

I'm using the subnet 10.0.0.0/16 for my network, and I used 10.0.1.0 for VPN.

I have the same security-level permit intra-interface.


Initially, I made a pool for the whole inside subnet so everything should be nated:

object network inside_dmz
subnet 10.0.0.0 255.255.0.0

nat (any,outside) dynamic interface


but my VPN users are not nated.

I have then created that rule just to be sure:


object network vpn_net

subnet 10.0.1.0 255.255.255.0
nat (outside,outside) dynamic interface

but that's not working either.

I turned on debug ip icmp 200 so that we normally see the nat translation in real time (i'm pinging 8.8.8.8).

This is what happen from VPN Host:


*ICMP echo request from outside:10.0.1.1 to outside:8.8.8.8 ID=1 seq=39 len=32

this is from inside:


ICMP echo request from inside:10.0.0.2 to outside:209.85.146.99 ID=1 seq=5 len=32
ICMP echo request translating inside:10.0.0.2/1 to outside:192.168.0.253/43825
ICMP echo reply from outside:209.85.146.99 to inside:192.168.0.253 ID=43825 seq=5 len=32
ICMP echo reply untranslating outside:192.168.0.253/43825 to inside:10.0.0.2/1

I also made a real time capture:

asa(config)# capture CAP1 interface outside real-time match icmp any any


ICMP echo request from outside:10.0.1.1 to outside:8.8.8.8 ID=1 seq=47 len=32
   1: 18:51:20.462683 802.1Q vlan#1 P0 10.0.1.1 > 8.8.8.8: icmp: echo request

packets are leaving the ASA without being nated.

my whole nat rules:

asa(config)# sh nat detail
Manual NAT Policies (Section 1)
1 (any) to (outside) source static any any destination static RVPN RVPN
    translate_hits = 5, untranslate_hits = 3473
    Source - Origin: 0.0.0.0/0, Translated: 0.0.0.0/0
    Destination - Origin: 10.0.1.0/24, Translated: 10.0.1.0/24
2 (outside) to (outside) source dynamic any interface
    translate_hits = 0, untranslate_hits = 0
    Source - Origin: 0.0.0.0/0, Translated: 192.168.0.253/24

Auto NAT Policies (Section 2)
1 (inside) to (outside) source static DesktopPC_Nat interface service udp 16810 16810
    translate_hits = 299148, untranslate_hits = 29558
    Source - Origin: 10.0.0.2/32, Translated: 192.168.0.253/24
    Service - Protocol: udp Real: 16810 Mapped: 16810
2 (dmz) to (outside) source static DMZ_Server interface service udp 39527 39527
    translate_hits = 0, untranslate_hits = 0
    Source - Origin: 10.0.88.5/32, Translated: 192.168.0.253/24
    Service - Protocol: udp Real: 39527 Mapped: 39527
3 (dmz) to (outside) source static DMZ_Server_rdp interface service tcp 3389 3390
    translate_hits = 0, untranslate_hits = 9
    Source - Origin: 10.0.88.5/32, Translated: 192.168.0.253/24
    Service - Protocol: tcp Real: 3389 Mapped: 3390
4 (outside) to (outside) source dynamic vpn_net interface
    translate_hits = 0, untranslate_hits = 0
    Source - Origin: 10.0.1.0/24, Translated: 192.168.0.253/24
5 (any) to (outside) source dynamic inside_dmz interface
    translate_hits = 852080, untranslate_hits = 14233
    Source - Origin: 10.0.0.0/16, Translated: 192.168.0.253/24

Don't know if I missed something here, but I'll appreciate your help

Labels:
0 Helpful
1 Reply 1

babanonyme
Level 1
Level 1

‎05-03-2011 10:02 AM

Oh I just found what I missed, my nat exemption rule was exempting vpn traffic to be natted:

nat (any,outside) source static any any destination static RVPN RVPN

replaced by

nat (any,outside) source static inside_dmz inside_dmz destination static RVPN RVPN

0 Helpful
Customers Also Viewed These Support Documents