Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1358
Views
0
Helpful
3
Replies

Hairpin VPN to another firewall

Bill.Lopez
Level 1
Level 1

‎12-11-2013 06:47 PM

Hi,

I have a tunnel between our office and colation facility. All external http/s traffic enters the firewall in our office. I need to redirect http traffic entering the outside of the office ASA to the webserver located in the colo over the existing tunnel. Any help is appreciated. I am running 8.2(2) code.

Thanks,

Bill

Labels:
0 Helpful
3 Replies 3

Jouni Forss
VIP Alumni
VIP Alumni

‎12-12-2013 01:33 AM

Hi,

So you want to host a Web server running at a remote location through the main site using an existing L2L VPN connection?

I would imagne the first thing you need is to configure Static NAT or Static PAT for your remote locations server. You should also confirm that you have the setting that enables Hairpinning / U-turn on the "outside" interface.

same-security-traffic permit intra-interface

static (outside,outside) netmask 255.255.255.255

static (outside,outside) tcp 443 443 netmask 255.255.255.255

static (outside,outside) tcp 80 80 netmask 255.255.255.255

The above options would do a Static NAT or Static PAT for the server located behind the L2L VPN connection

I am not sure are you planning to use the "outside" interface IP address with Static PAT (Port Forward) or Static NAT with a public IP address that will be dedicated for this server. You should take into consideration that if you use the ASA interface public IP address then the ASA by default uses the port TCP/443 for SSL VPN and ASDM management.

You would also require a Dynamic Policy PAT configuration. You should PAT all the traffic coming from the Internet to a single IP Address before it heads through the L2L VPN so that you wont have to forward all of the servers external traffic through the L2L VPN. The IP address to which you PAT the traffic coming from the Internet could be an IP address configured on the L2L VPN already. For example an unused local IP address from the main sites LAN network that currently uses the L2L VPN

access-list REMOTE-WEB-POLICYPAT remark Dynamic Policy PAT for remote Web server

access-list REMOTE-WEB-POLICYPAT permit tcp any host eq 80

access-list REMOTE-WEB-POLICYPAT permit tcp any host eq 443

nat (outside) 200 access-list REMOTE-WEB-POLICYPAT

global (outside) 200

The above NAT configuration would do Dynamic PAT for all the Internet source addresses that were contacting the NAT IP address we previously configured for the remote server.

To my understanding the above is the basic things needed to achieve this. One main thing is to remember that after the source address has been translated (Dynamic Policy PAT) and the destination address has been untranslated (Static NAT or Static PAT) , they have to match the current L2L VPN Encryption domain. So make sure the L2L VPN configurations allow for this traffic to be tunneled.

Some naturally depends on your current setup/configuration which we dont know

- Jouni

0 Helpful

ecanyon99
Level 1
Level 1
In response to Jouni Forss

‎04-05-2014 04:35 PM

Hi Jouni,

I created the attached configuration plan based on your config details and some other documentation I pulled from the web.

Can you please take a brief look at my configuration details and see if there is something visibly wrong here?

I added all configurations, and in the end I received the following error:

global address overlaps with mask

Here is a snippit of my ssh session:

ASA# conf t
ASA(config)#same-security-traffic permit intra-interface (Note: Already existed, just placed here for reference)

ASA(config)#access-list COLO2OFFICENAT-1 extended permit ip 192.168.79.0 255.255.255.0 host 67.248.74.65
ASA(config)#access-list COLO2OFFICENAT-2 extended permit ip 192.168.79.0 255.255.255.0 host 209.177.206.151

ASA(config)# static (outside,outside) 209.177.206.151 access-list COLO2OFFICENAT-1
global address overlaps with mask
ASA(config)# static (outside,outside) 209.177.206.151 access-list COLO2OFFICENAT-2
global address overlaps with mask
ASA(config)#
ASA(config)# sh log | inc 67.248.74.65
Mar 25 2014 19:05:45: %ASA-6-302013: Built inbound TCP connection 86533163 for outside:192.168.79.200/54564 (192.168.79.200/54564) to outside:67.248.74.65/443 (67.248.74.65/443)
Mar 25 2014 19:05:54: %ASA-6-302014: Teardown TCP connection 86532834 for outside:192.168.79.200/54551 to outside:67.248.74.65/443 duration 0:00:30 bytes 0 SYN Timeout
Mar 25 2014 19:05:54: %ASA-6-302014: Teardown TCP connection 86532835 for outside:192.168.79.200/54552 to outside:67.248.74.65/443 duration 0:00:30 bytes 0 SYN Timeout
Mar 25 2014 19:06:15: %ASA-6-302014: Teardown TCP connection 86533163 for outside:192.168.79.200/54564 to outside:67.248.74.65/443 duration 0:00:30 bytes 0 SYN Timeout
ASA(config)#

From packet captures, I am able to see traffic arriving at SITE B, from SITE A.

However, the traffic does not get translated to the Global NAT [209.177.206.151] after it arrives, which is required in order to pass to Site C.

Config details from Site B are noted below, if you have any suggestions, your help is much appreciated!

 

Thanks,

Ecanyon

 

Below is some of the config data from Site B

ASA Version 8.2(5)
!
Interfaces
----------
interface GigabitEthernet0/0
 description Outside Interface
 duplex full
 nameif outside
 security-level 0
 ip address 209.177.206.15 255.255.255.0
!
interface GigabitEthernet0/1
 description Inside Network (192.168.229.0/24)
 speed 100
 duplex full
 nameif inside
 security-level 100
 ip address 192.168.229.1 255.255.255.0
!

Elements
--------
object-group network COLO_IPs
 network-object host 67.248.74.65
 network-object host 67.248.74.68
 network-object host 67.248.74.69
 network-object host 67.248.74.70
 network-object host 67.248.74.71
 network-object host 67.248.74.59

ACLs
----
access-list inside-no-nat extended permit ip 192.168.229.0 255.255.255.0 192.168.79.0 255.255.255.0
access-list inside-no-nat extended permit ip 192.168.79.0 255.255.255.0 object-group COLO_IPs

access-list ENCDOM100 extended permit ip 192.168.229.0 255.255.255.0 192.168.79.0 255.255.255.0
access-list ENCDOM100 extended permit ip object-group COLO_IPs 192.168.79.0 255.255.255.0

access-list ENCDOM101 remark Site B connectivity to Site C
access-list ENCDOM101 extended permit ip host 209.177.206.151 object-group COLO_IPs

access-list COLO2OFFICENAT-1 extended permit ip 192.168.79.0 255.255.255.0 host 67.248.74.65
access-list COLO2OFFICENAT-2 extended permit ip 192.168.79.0 255.255.255.0 host 209.177.206.151

NATs/Routes
-----------
global (outside) 1 209.177.206.151 netmask 255.0.0.0
nat (inside) 0 access-list inside-no-nat
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 209.177.206.254 1

Site A Peer
-----------
crypto map outside_map 29 match address ENCDOM100
crypto map outside_map 29 set peer 64.190.206.98

Colo Peer
--------
crypto map outside_map 87 match address ENCDOM101
crypto map outside_map 87 set peer 67.248.74.61

Preview file
84 KB
0 Helpful

ecanyon99
Level 1
Level 1

‎04-05-2014 08:46 AM

See below

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents