ASA SSL VPN from guest network

Matthias Jeker · ‎11-01-2014

Hi

On our ASA we have a dedicated interface for guest users. The SSL VPN for accessing the inside network works fine from hosts located outside. Is it possible to VPN back in from the guest network? The guests are translated to a specific public outside address (not to the address configured on the outside interface of the ASA, but from the same public subnet).

Regards

Matthias

Marvin Rhoads · ‎11-01-2014

Yes, this is what is called "hairpinning" - as the traffic leaves and then re-enters the same physical interface.

Aref Alsouqi · ‎11-01-2014

Hi Marvin,

Please correct me if I'm wrong, I would say hairpinning (u-turn) when traffic enters and exits same interface, not the contrary.

Regards,

Aref

Marvin Rhoads · ‎11-01-2014

Well it's not a precisely defined term but more of an analogy as the "hairpin" refers to a visual representation of the path taken - flipping the direction at a device with the reverse path being a mirror image of the incoming path at the device where the direction changes.

Aref Alsouqi · ‎11-01-2014

I wanted to share that with you because thinking about if a packet leaves the interface it would reach the other end interface or another interface before being able to entering back the interface which it left, and that would be a normal flow, but if you think about it the other way, when a packet enter the interface and exit it soon it would not be necessary to reach any other interfaces before exiting out the interface on which it arrived.

Regards,

Aref

Matthias Jeker · ‎11-02-2014

Okay thanks for your explanations. When I try to connect to the outside interface from the guest network (DNS resolutions points to the public address) the connection is dropped. For testing purpose I configured an ip any any ACL on the outside interface without success. Do I have to configure anything else? As I said before from the outside anything works fine (incl. hairpinning from vpn clients to other S2S tunnels).

Security level of the outside interface is 100 and the level of the guest interface is 50. No ACL on guest interface which is denying incoming traffic.

Aref Alsouqi · ‎11-02-2014

First of all please consider that putting the outside interface in 100 security level is not recommended and would cause serious security concerns, it should be in 0 security level since it is connected to the untrusted side, but may be you are oing that only in lab. By default traffic flow from a lower security level to a higher security level is blocked, you should permit that traffic on the guest network interface (lower security level) in inbound direction not on the outside interface, because as mentioned before, in your case the traffic flow from outside interface (higher security level) would be allowed to pass to the lower security level interfaces (guest network), try to add the ip any any acl on the guest network and see if it works. Another thing you should know is that PIX/ASA by design does not allow you to ping/reach an interface from an opposite interface, for example, I cann't ssh outside interface from inside interface regardless of the security levels.

Regards,

Aref

Matthias Jeker · ‎11-02-2014

Ou! Sorry this was a typo! Outside level is 0. So packet flow is from guest interface to outside and then back in to the outside interface. Is this possible?

Aref Alsouqi · ‎11-02-2014

No worries :). When packet flow comes from guest network and reaches the outside interface it should exist that outside interface, goes to the next hop and then it would come back, you would not be able to make that traffic to make a u-turn on the outside interface without existing out of it, the u-turn would be done on the same interface on which the traffic arrives, but if it leaves the interface and pass through the ASA the u-turn would not be done, that's because when ASA pass through the traffic from an interface to another it assumes that the traffic should exit out an interface, but if you are sending traffic in inbound direction let's say on the outside interface, and you want to make the u-turn of that traffic then you would be able to do so on the same interface, means the traffic would enter that outside interface and makes the u-turn before passing through the ASA so exist again out of the outside interface.

Regards,

Aref

Matthias Jeker · ‎11-02-2014

Thanks again for your detailed explanations! So my assumption that this won't work is unfortunately true. Maybe I will install a second firewall for the guest network or enable webvpn on the guest interface itself (I know that this will result in a certificate error but that doesn't matter). They will use this connetion for testing purpose only.

Matthias Jeker · ‎11-02-2014

For the first solution I have to use DNS rewriting (otherwise the client VPN address points to the outside interface of the ASA). Until now I only configured this stuff for internal servers together with NAT. Is it possible to rewrite an A record to the interface address of the ASA itself? I don't think so:)

Aref Alsouqi · ‎11-02-2014

I don't think so Matt, since as mentioned before, asa won't allow you to reach one of its interfaces from an opposite one, but it worth lab it up.

Please have a look at these links:

http://glazenbakje.wordpress.com/2013/01/04/cisco-asa-hairpin-work-around-asa-version-8-43/

http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/vpn_params.html#wp1042114

Regards,

Aref