Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
838
Views
5
Helpful
9
Replies

ASA-AWS Cannot get hair pinning to work with AC full tunnel!

Go to solution
MSDarkmatter
Level 1
Level 1

‎02-05-2021 09:47 PM

Hey all,

 

I'm trying to get hair pinning to work with a full tunnel so I can do some testing.  I want to be able to bring up a full tunnel via Anyconnect to the ASA and surf the internet via that tunnel...  I've tried everything I can find and simply can't seem to get this to work.  Relevant config:

: Hardware: ASAv, 4096 MB RAM, CPU Xeon E5 series 2900 MHz, 1 CPU (2 cores)
:
ASA Version 9.13(1)7
!
ip local pool VPN_range 192.168.4.1-192.168.4.254 mask 255.255.255.0

!
interface GigabitEthernet0/0
nameif outside
security-level 0
dhcp client route distance 2
ip address dhcp setroute
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address dhcp setroute
!
interface Management0/0
no management-only
nameif management
security-level 100
ip address dhcp setroute
!
same-security-traffic permit intra-interface
object network vpn-pool
range 192.168.4.1 192.168.4.254
description VPN Pool
access-list 101 extended permit ip any any
access-list AnyConnect_Client_Local_Print extended deny ip any4 any4
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq lpd
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 631
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 9100
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.251 eq 5353
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.252 eq 5355
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 137
access-list AnyConnect_Client_Local_Print extended permit udp any4 any4 eq netbios-ns
access-list outside_access_out extended permit ip any any
pager lines 23
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
no failover
no failover wait-disable
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 8192
nat (outside,outside) source dynamic vpn-pool interface
nat (outside,inside) source static vpn-pool vpn-pool
access-group 101 in interface outside
access-group outside_access_out out interface outside
access-group 101 in interface inside

Let me know if I've missed something relevant and I'll post...thanks in advance for any help!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Sheraz.Salim
VIP
VIP
In response to Sheraz.Salim

‎02-07-2021 10:52 AM - edited ‎02-07-2021 11:37 AM

Looking into the issue we apply a fix by adding a Nat rule for management.

 

nat (management,management) dynamic interface

 

this above command fix the issue for the full tunnel anyconnect.

 

hope this will help others with similar issues.

please do not forget to rate.

View solution in original post

0 Helpful
9 Replies 9

Go to solution
Sheraz.Salim
VIP
VIP

‎02-06-2021 02:18 AM

can you try this.

!

object network vpn-pool
no range 192.168.4.1 192.168.4.254
subnet 192.168.4.0 255.255.255.0
!
nat (outside,outside) source dynamic vpn-pool interface
nat (inside,outside) source dynamic interface
no nat (outside,inside) source static vpn-pool vpn-pool

!

please do not forget to rate.
0 Helpful

Go to solution
MSDarkmatter
Level 1
Level 1
In response to Sheraz.Salim

‎02-06-2021 06:43 AM

Hey Sheraz.Salim, thanks for quick reply!  I've put most of it in place, but the command:

nat (inside,outside) source dynamic interface

is incomplete and I didn't want to assume, since I couldn't figure it out before.  The output I see is:

ciscoasa(config)# nat (inside,outside) source dynamic interface
ERROR: % Incomplete command

 


The options I have are:

ciscoasa(config)# nat (inside,outside) source dynamic interface ?

configure mode commands/options:
WORD Specify object or object-group name for mapped source
interface Specify interface NAT
pat-pool Specify object or object-group name for mapped source pat pool

 

I can't believe I'm having this much trouble with this...I'm hoping it doesn't come down to something with AWS...thanks so much for your help!

 

0 Helpful

Go to solution
Sheraz.Salim
VIP
VIP
In response to MSDarkmatter

‎02-06-2021 07:54 AM

I am sorry typo error.

 

try this "nat (inside,outside) dynamic interface"

 

 

Regards

sheraz

please do not forget to rate.
0 Helpful

Go to solution
MSDarkmatter
Level 1
Level 1
In response to Sheraz.Salim

‎02-06-2021 08:04 AM

No go...here's the output:

ciscoasa(config)# nat (inside,outside) dynamic interface

ERROR: % Invalid input detected at '^' marker. ( '^' was at the "d" in "dynamic")
ciscoasa(config)# nat (inside,outside) ?

configure mode commands/options:
<1-2147483647> Position of NAT rule within before auto section
after-auto Insert NAT rule after auto section
source Source NAT parameters

 

Thanks again!!!

0 Helpful

Go to solution
Sheraz.Salim
VIP
VIP
In response to MSDarkmatter

‎02-06-2021 08:41 AM - edited ‎02-06-2021 09:32 AM

object network vpn-pool
no range 192.168.4.1 192.168.4.254
subnet 192.168.4.0 255.255.255.0
nat (inside,outside) dynamic interface
!
you need to put above nat rule in section 2. Just do copy
paste and test it.

also could you show tunnel-group configuration and group-policy configuration too.

please do not forget to rate.

Go to solution
MSDarkmatter
Level 1
Level 1
In response to Sheraz.Salim

‎02-06-2021 12:07 PM

This time, no errors...config took...but still can't surf the net through a full tunnel.  UGH!!!  I'll message you with the full config (minus anything sensitive) if you'd like to take a look, and again, thanks for all the help!!

0 Helpful

Go to solution
Sheraz.Salim
VIP
VIP
In response to MSDarkmatter

‎02-06-2021 01:41 PM - edited ‎02-06-2021 02:01 PM

Hi @MSDarkmatter 

 

Try the below config and let us know how it works.

 

group-policy FullTunnel internal
group-policy FullTunnel attributes
wins-server none
dns-server value 208.67.222.222 208.67.220.220
vpn-tunnel-protocol ssl-client ikev2
split-tunnel-policy tunnelall
!
tunnel-group FullTunnel type remote-access
tunnel-group FullTunnel general-attributes
 address-pool VPN_range
!
tunnel-group FullTunnel webvpn-attributes
group-alias FullTunnel enable
authentication aaa
!
username test password xxxxxx
!
same-security-traffic permit intra-interface
!
object network vpn-pool
subnet 192.168.4.0 255.255.255.0
description VPN Pool
nat (outside,outside) dynamic interface
please do not forget to rate.
0 Helpful

Go to solution
Sheraz.Salim
VIP
VIP
In response to Sheraz.Salim

‎02-07-2021 10:52 AM - edited ‎02-07-2021 11:37 AM

Looking into the issue we apply a fix by adding a Nat rule for management.

 

nat (management,management) dynamic interface

 

this above command fix the issue for the full tunnel anyconnect.

 

hope this will help others with similar issues.

please do not forget to rate.
0 Helpful

Go to solution
MSDarkmatter
Level 1
Level 1
In response to Sheraz.Salim

‎02-07-2021 02:51 PM

Sheraz, thanks so much for your help...incredible kindness and helpfulness...if things ever get back to normal and I find myself in your neck of the woods, dinner's on me!!

0 Helpful
Customers Also Viewed These Support Documents