cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1672
Views
0
Helpful
23
Replies

ASA 5510 and Hairpinning (full tunnel)

seth
Level 1
Level 1

Hello all,
I have a VPN Remote Access configuration setup for my iPhone
I am doing full tunnel on this.
So it works, I can connect and get the tunnel up.
Now the problem that comes is that it seems that any kind of DNS lookup and then traffic flow to the website is not allowed.
I set the tunnel up to use my internal DNS server, didn't work.
I set it up to use Google's DNS servers, didn't work.

But traffic flow is working, because certain apps like WeChat or iMessage work with the tunnel enabled.
So I am assuming that they are hard coded with IP addresses in the programming of their app.
But if you go to Safari or Chrome and try to browse to amazon or google, then it doesn't work.

So what am I missing in my config?
for the Dynamic NAT rule I have for my iPhone VPN Pool, should I select the DNS Rewrite option on that rule?

23 Replies 23

Have you configured the DNS servers under the group policy for the tunnel group ? Can you post the configuration of the ASA you have ?

Here is ASA:
**************************************************************************************************************

!
ASA Version 8.2(3)
!
hostname CoxASA5510
domain-name webd2ms2.com
enable password ..Lyz3sh0DbVWcxP encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 10.78.0.0 Cox_Inside description Inside network behind ASA5510
name 172.16.1.0 RemoteVPN description Remote Access Network
name 192.168.1.0 VPNMobile description IP Pool for VPN Mobile
dns server-group DefaultDNS
 domain-name webd2ms2.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network Google_DNS
 network-object host 8.8.4.4
 network-object host 8.8.8.8
object-group network DomainControllers
 network-object host 10.78.0.5
 network-object host 10.78.0.6
access-list Inside_nat0_outbound extended permit ip Cox_Inside 255.255.255.0 VPNMobile 255.255.255.0
access-list Outside_access_in extended permit ip VPNMobile 255.255.255.0 any
access-list Outside_access_in extended permit ip any VPNMobile 255.255.255.0
access-list Outside_cryptomap_5000 extended permit ip any VPNMobile 255.255.255.0
access-list Inside_access_in extended permit ip any any
ip local pool VPNDHCP2 172.16.1.100-172.16.1.200 mask 255.255.255.0
ip local pool VPNMobile 192.168.1.100-192.168.1.105 mask 255.255.255.0
global (Outside) 10 interface
nat (Outside) 0 access-list Outside_nat0_outbound
nat (Outside) 10 VPNMobile 255.255.255.0
nat (Inside) 0 access-list Inside_nat0_outbound
nat (Inside) 10 0.0.0.0 0.0.0.0
access-group Outside_access_in in interface Outside
access-group Inside_access_in in interface Inside
route Outside 0.0.0.0 0.0.0.0 216.54.104.129 1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 match address Outside_cryptomap_65535.65535
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-256-SHA
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set reverse-route
crypto dynamic-map iPhone 50000 match address Outside_cryptomap_5000
crypto dynamic-map iPhone 50000 set transform-set ESP-3DES-SHA
crypto dynamic-map iPhone 50000 set reverse-route
crypto map Outside_map 50000 ipsec-isakmp dynamic iPhone
crypto map Outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map Outside_map interface Outside
webvpn
group-policy iPhone internal
group-policy iPhone attributes
 dns-server value 8.8.8.8 8.8.4.4
 vpn-tunnel-protocol IPSec
 default-domain value webd2ms2.com
username dunns password 5eV1j.Y6CHrne9RO encrypted privilege 15
username xunhe password mkEbsVaECISPUbn0 encrypted privilege 0

**************************************************************************************************************

Here is my PIX 515E config, that does work.

**************************************************************************************************************

sh run

: Saved

:

PIX Version 7.2(2)

!

hostname gbpix

!
interface Ethernet0
 speed 100
 duplex full
 nameif outside
 security-level 0
 ip address 10.81.1.80 255.255.255.0

!

ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
 domain-name my_domain
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network DMZ_RDP
 description Connect to hosts via RDP that are in DMZ
 network-object 172.16.1.2 255.255.255.255
 network-object 172.16.1.3 255.255.255.255
object-group service DNS_LookUp tcp-udp
 description Group for DNS Port number UDP/TCP
 port-object range domain domain
access-list inside_outbound_nat0_acl remark Do not NAT Addresses when talking to PPTP Clients.
access-list inside_nat0_outbound extended permit ip 10.10.0.0 255.255.255.0 192.168.1.96 255.255.255.240
access-list outside_cryptomap_65535.40 extended permit ip any 192.168.1.0 255.255.255.0
access-list outside_access_in extended permit ip 192.168.1.0 255.255.255.0 any
access-list outside_access_in extended permit ip any 192.168.1.0 255.255.255.0
pager lines 24
logging enable
logging trap notifications
logging asdm informational
logging facility 23
logging queue 2048
logging host inside 10.10.0.199
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip local pool VPNMobile 192.168.1.100-192.168.1.105 mask 255.255.255.0
ip local pool VPNDesktop 172.16.1.100-172.16.1.200 mask 255.255.255.0
ip verify reverse-path interface outside
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm-522.bin
asdm history enable
arp timeout 14400
nat-control
global (outside) 10 interface
global (outside) 68 66.11.19.68 netmask 255.255.255.255
global (outside) 2 66.16.132.133
global (dmz) 17 interface
global (dmz) 20 66.16.132.142
nat (outside) 10 192.168.1.0 255.255.255.0
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 2 10.10.0.199 255.255.255.255 dns
nat (inside) 10 0.0.0.0 0.0.0.0
nat (dmz) 10 0.0.0.0 0.0.0.0
static (dmz,outside) 66.16.132.136 172.16.1.2 netmask 255.255.255.255
static (dmz,outside) 66.16.132.139 172.16.1.3 netmask 255.255.255.255
static (outside,dmz) 172.16.1.2 66.16.132.136 netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 10.81.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server RADIUS host 10.10.0.34
 timeout 30
 key my_psk
aaa-server RADIUS host 10.10.0.9
 timeout 25
 key my_psk
group-policy VPNDesktop internal
group-policy VPNDesktop attributes
 wins-server value 10.78.0.6
 dns-server value 10.78.0.6 10.78.0.5
 vpn-tunnel-protocol IPSec
 default-domain value my_domain
group-policy iPhone internal
group-policy iPhone attributes
 dns-server value 8.8.8.8 8.8.4.4
 vpn-tunnel-protocol IPSec
 default-domain value my_domain
username dunns password 5eV1j.Y6CHrne9RO encrypted privilege 15
username replogled password gGQpsYvn1mD3wox8 encrypted privilege 5
username xunhe password W8rA5wZqpj2lgRlE encrypted privilege 0
aaa authentication ssh console LOCAL
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt connection tcpmss 0
auth-prompt prompt xxx Logon:
auth-prompt accept Authenticated
auth-prompt reject Too bad. Try again.
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-AES-256-SHA
crypto dynamic-map outside_dyn_map 40 match address outside_cryptomap_65535.40
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto map outside_map 140 set peer 216.54.104.130
crypto map outside_map 140 set transform-set ESP-AES-256-SHA
crypto map inside_map interface inside
crypto map outside_map0 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map0 interface outside
crypto isakmp identity hostname
crypto isakmp enable outside
crypto isakmp enable inside
crypto isakmp enable dmz
crypto isakmp nat-traversal  45
tunnel-group DefaultL2LGroup ipsec-attributes
 trust-point d2msbk1
tunnel-group DefaultRAGroup general-attributes
 authentication-server-group (outside) RADIUS
 authentication-server-group (inside) RADIUS
tunnel-group DefaultRAGroup ipsec-attributes
 trust-point d2msbk1
tunnel-group VPNDesktop type ipsec-ra
tunnel-group VPNDesktop general-attributes
 address-pool VPNDesktop
 default-group-policy VPNDesktop
tunnel-group VPNDesktop ipsec-attributes
 pre-shared-key *
tunnel-group iPhone type ipsec-ra
tunnel-group iPhone general-attributes
 address-pool VPNMobile
 default-group-policy iPhone
tunnel-group iPhone ipsec-attributes
 pre-shared-key *
telnet 10.10.0.40 255.255.255.255 inside
telnet 10.10.0.23 255.255.255.255 inside
telnet 10.10.0.47 255.255.255.255 inside
telnet timeout 8
ssh 10.10.0.40 255.255.255.255 inside
ssh 10.10.0.47 255.255.255.255 inside
ssh timeout 5
ssh version 1
console timeout 0
management-access inside
vpdn group PPTP-VPDN-GROUP ppp authentication mschap
!
!
!
policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum 512
!
ntp server 10.10.0.12 source inside
ntp server 130.126.24.44 source outside prefer
tftp-server inside 10.10.0.34 pix
prompt hostname context
Cryptochecksum:89f612e7474b2846886ec1fc0f9e91b2
: end


**************************************************************************************************************

Hello,

I dug around in some older Apple forums, and somebody came up with this config for the ASA, which is supposed to work. I am not sure how old the code is, though...

access-list iphone_splitTunnelAcl standard permit <insert ip> <insert mask>
access-list iphone_splitTunnelAcl standard permit <insert ip> <insert mask>
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set iphone esp-3des esp-sha-hmac
crypto ipsec transform-set iphone mode transport
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map SYSTEMDEFAULT_CRYPTOMAP 65535 set pfs
crypto dynamic-map SYSTEMDEFAULT_CRYPTOMAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 iphone
crypto map outside_map 10 match address vpn
crypto map outside_map 10 set transform-set ESP-AES-256-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEMDEFAULT_CRYPTOMAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 20
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
crypto isakmp nat-traversal 20
group-policy iphone internal
group-policy iphone attributes
wins-server value <insert ip> <insert ip>
dns-server value <insert ip> <insert ip>
vpn-tunnel-protocol IPSec
ipsec-udp enable
ipsec-udp-port 10000
split-tunnel-policy tunnelspecified
split-tunnel-network-list value iphone_splitTunnelAcl
default-domain value <insert domain name>
tunnel-group iphone type remote-access
tunnel-group iphone general-attributes
address-pool VPN-Pool
authentication-server-group ActiveDirectory2
default-group-policy iphone
tunnel-group iphone ipsec-attributes
pre-shared-key <insert pre-shared key>

Thanks for looking but that I don't believe will address my problem.
I do not want to do a Split Tunnel on this.
I want to tunnel all the data from iPhone -> ASA -> WWW

Ok. I will look further...there must be a solution for this for sure.

That is what I keep telling myself.
It has to work, I am just not sure what I am missing.

I got it to work fine on the PIX...

Hello,

I am working on the PIX to ASA conversion...not sure how long that will take...;)

Hello,

I have found the IOS command that allows Internet access in full tunnel mode, not much use on the ASA, but at least it gives an indication of what to look for...

webvpn sslvpn-vif nat inside

I am trying to find the ASA equivalent...

Hello,

since you mention hairpinning in the title of your post, you might have already tried this:

same-security-traffic permit intra-interface

I could not see an 'object-group network' for your Iphone pool, you might have to add that.

object-group network IPHONE_POOL
network-object x.x.x.x x.x.x.x

nat (outside,outside) source dynamic IPHONE_POOL interface

--> "this tells the ASA to take the VPN client space in the outside interface,
back out the outside interface, but to dynamically overload it to the outside interface IP.
This is the actual NAT hairpin configuration that allows a VPN client to come
in the outside and then leave back out towards the internet with the NAT overload"

Yeah I have that command in place.

The object-group command is for ios 8.3 and higher, I am on 8.2
They changed up things after 8.2

It's the DNS lookup issue.
Other traffic is passing fine if it is hard coded with an ip address....
So certain apps work.
I have a website on one of my company's servers, and it is just IP address, no domain name associated with it.  So I can browse to that site.

Hello,

just to be sure it is not a client issue: what client and version are you using ?

Using iPhone 5s with iOS 10, and native VPN client.
Have a friend that is using the iPhone 6 w/ iOS 10 and the same thing occurs.

The native VPN client, is that Astaro ? 

Take a look at this discussion, they are discussing the problem and offer various fixes.

https://community.sophos.com/products/unified-threat-management/f/vpn-site-to-site-and-remote-access/53346/iphone-and-dns-lookup-within-vpn#pi2132219853=1

Its the iPhone native client, and I think I saw that same post just a few min ago. LOL

I came across this one here:
https://discussions.apple.com/thread/1596178?start=0&tstart=0

So it seems that the iPhone has a real issue with DNS
And I am not sure what I need to do to get it working....seems some of them were able too...
And I am doing a full tunnel on the thing, no split tunnel or split DNS.