Cisco ASA SSL VPN hairpinning

cammaher · ‎12-01-2013

Hi All,

We are having some issues with getting hairpinning working for our SSL VPN connections on the Cisco 5585 ASA.

Our setup is that we have configured and enabled SSL VPN for our remote useres. This works fine and as expected, but at the moment we have split tunneling turned on so only internal company traffic goes through the tunnel, and all other traffic goes through the users local connection.

We have a need to enable additional traffic to go through the SSL VPN tunnel, which means that the traffic flow will be from the users device, to our ASA (via outside interface) and then back out the outside interface on the ASA to the destination. We understand that this is hairpinning and have done the following to enable it:

Added the following command to allow the same interface to be the ingress and outgress interface:

same-security-traffic permit intra-interface

We then created the following NAT rule:

nat (outside,outside) source static SSL_VPN_Client_Pool SSL_VPN_Client_Pool destination static SSL_VPN_Client_Pool
SSL_VPN_Client_Pool

We are also bypassing access-lists for VPN traffic.

Even after doing all of this we still cannot get the hairpinning to work. Has anyone else done all of this and still have trouble? If so, what other things can we try?

(In other words we have followed the Cisco documentation and still, it does not work)

The ASA version is 9.1

Jouni Forss · ‎12-01-2013

Hi,

The NAT configuration depends on the destination network.

What are you trying to reach through the "outside" interface that requires Hairpinning / U-turn? Is it another remote network through a L2L VPN connection or is it simply Internet?

If it was an Internet connection then you would have to configure Dynamic PAT to a public IP address.

Can you clarify your need/requirements.

- Jouni

cammaher · ‎12-02-2013

Hi,

Thanks for the reply.

We are trying to reach Internet and other specific networks through the outside interface. In the NAT statement we are using static NAT to public IP addresses, so that shouldn't be an issue.

Any other ideas?

Jouni Forss · ‎12-02-2013

Hi,

You mentioned this NAT rule in your original post

nat (outside,outside) source static SSL_VPN_Client_Pool SSL_VPN_Client_Pool destination static SSL_VPN_Client_Pool SSL_VPN_Client_Pool

To me this doesnt contain any public IP address. To me it seems it only contains the VPN user pool. You are basically telling that the ASA to not perform NAT for the source address in SSL_VPN_Client_Pool when they are connecting to SSL_VPN_Client_Pool. So it doesnt seem to me to be a NAT configuration that would apply to Internet traffic

To my understanding it should be something like this

nat (outside,outside) source dynamic SSL_VPN_Client_Pool interface

Or even Auto NAT might do

object network VPN-POOL-PAT

subnet

nat (outside,outside) dynamic interface

Everything ofcourse depends on your needs. The above examples should do for Internet traffic. If there is some traffic that is supposed to go to a L2L VPN connection for example then that is a totally different thing.

- Jouni

Jim Heuton · ‎06-23-2015

This problem had been hounding us since we upgraded our ASAs from 8.4.1 to 9.1.5. Found another forum posting explaining what had changed with NAT, made the suggested change, and we were once again able to ping and manage our ASAs (SSH/ASDM) from an AnyConnect VPN session through the same ASA.

Here's the link (hope it doesn't get deleted): http://www.petenetlive.com/KB/Article/0000984.htm

Basically, make sure you add the "route-lookup" command to the end of your VPN NAT entry. Resolved our problem in about 2 minutes... HTH - Jim