05-03-2012 09:46 AM
Hi
I am running
Cisco Adaptive Security Appliance Software Version 8.2(1)
Device Manager Version 6.2(1)
on an ASA 5505. I would like to be able to hairpin on the internal network. The internal network comprise of two networks. The inside network of the ASA 5505 which is 10.0.0.0 /8 and 172.16.1.0/24. I am attaching a network diagram to aid with this request. The default gateway of both is the ASA 5505 10.0.0.1.
I have tried this link https://supportforums.cisco.com/thread/2061002 among others
I have also done a packet trace and it appears that the packet should go through. In fact it is sent to next module. Which I really don't know what that is or why it is sent to that module at all. What am I doing wrong? The packet trace follows along with my configuration
ACME-ASA# packet-tracer input inside icmp 10.0.0.183 8 0 172.16.1.1
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 172.16.1.0 255.255.255.0 inside
Phase: 3
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: NAT-EXEMPT
Subtype:
Result: ALLOW
Config:
match ip inside 10.0.0.0 255.0.0.0 inside 172.16.1.0 255.255.255.0
NAT exempt
translate_hits = 95, untranslate_hits = 1
Additional Information:
Phase: 7
Type: NAT-EXEMPT
Subtype: rpf-check
Result: ALLOW
Config:
match ip inside 172.16.1.0 255.255.255.0 inside 10.0.0.0 255.0.0.0
NAT exempt
translate_hits = 1, untranslate_hits = 95
Additional Information:
Phase: 8
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside) 1 0.0.0.0 0.0.0.0
match ip inside any inside any
dynamic translation to pool 1 (No matching global)
translate_hits = 3, untranslate_hits = 0
Additional Information:
Phase: 9
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (inside) 1 0.0.0.0 0.0.0.0
match ip inside any inside any
dynamic translation to pool 1 (No matching global)
translate_hits = 3, untranslate_hits = 0
Additional Information:
Phase: 10
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 11
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside) 1 0.0.0.0 0.0.0.0
match ip inside any inside any
dynamic translation to pool 1 (No matching global)
translate_hits = 3, untranslate_hits = 0
Additional Information:
Phase: 12
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 140365, packet dispatched to next module
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow
====================================================================================
END OF TRACE
====================================================================================
ASA Version 8.2(1)
!
hostname ACME-ASA
domain-name intranet.ACME.com
enable password dBGEZ7W9OslQcaz2 encrypted
passwd dBGEZ7W9OslQcaz2 encrypted
names
name 192.168.10.0 PWC description pwc remote lan
!
interface Vlan1
nameif inside
security-level 100
ip address 10.0.0.1 255.0.0.0
!
interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group ACME
ip address pppoe setroute
!
interface Vlan3
no nameif
security-level 50
no ip address
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone AST -4
dns server-group DefaultDNS
domain-name intranet.ACME.com
same-security-traffic permit intra-interface
access-list 101 extended permit icmp any any echo-reply
access-list 101 extended permit icmp any any source-quench
access-list 101 extended permit icmp any any unreachable
access-list 101 extended permit icmp any any time-exceeded
access-list ACME_splitTunnelAcl standard permit 10.0.0.0 255.0.0.0
access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.0.0.0 10.0.1.0 255.255.255.192
access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.0.0.0 PWC 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 10.0.1.0 255.255.255.192
access-list outside_1_cryptomap extended permit ip 10.0.0.0 255.0.0.0 PWC 255.255.255.0
access-list NONAT extended permit ip 172.16.1.0 255.255.255.0 10.0.0.0 255.0.0.0
access-list NONAT extended permit ip 10.0.0.0 255.0.0.0 172.16.1.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool ACMEVPN 10.0.1.1-10.0.1.50 mask 255.0.0.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NONAT
nat (inside) 1 0.0.0.0 0.0.0.0
access-group 101 in interface outside
route inside 172.16.1.0 255.255.255.0 10.0.0.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.0.0.0 255.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer 99.249.241.132
crypto map outside_map 1 set transform-set ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption des
hash md5
group 1
lifetime 86400
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 15
console timeout 0
vpdn group ACME request dialout pppoe
vpdn group ACME localname ACME
vpdn group ACME ppp authentication pap
vpdn username ACME password ********* store-local
dhcpd dns 69.57.241.9 69.57.241.10
!
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable outside
svc image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
svc enable
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol l2tp-ipsec svc webvpn
group-policy ACME internal
group-policy ACME attributes
dns-server value 10.0.0.24 10.0.0.1
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value ACME_splitTunnelAcl
default-domain value intranet.ACME.com
group-policy ACME internal
group-policy ACME attributes
dns-server value 10.0.0.24 8.8.8.8
vpn-tunnel-protocol IPSec l2tp-ipsec
username aandre password P4P2V54vOrErCg41 encrypted privilege 0
username aandre attributes
vpn-group-policy ACME
username uwilliams password wbsffaKVr0YepCUS encrypted privilege 0
username uwilliams attributes
vpn-group-policy ACME
username cjosephs password 2sNBaOjAVrpF740r encrypted privilege 0
username cjosephs attributes
vpn-group-policy ACME
username gjames password iARKkHERv4HyEEKL encrypted privilege 0
username gjames attributes
vpn-group-policy ACME
username cnesty password zmnUQV3pD0XWZW9I encrypted privilege 15
tunnel-group ACME type ipsec-l2l
tunnel-group ACME ipsec-attributes
pre-shared-key *
tunnel-group ACME type remote-access
tunnel-group ACME general-attributes
address-pool ACMEVPN
default-group-policy ACME
tunnel-group ACME ipsec-attributes
pre-shared-key *
!
class-map ICMP-CMAP
match access-list 101
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:311e23e2214979d1f2b8eae16013faba
: end
05-08-2012 03:40 PM
Mate ,
few comments :
1- the config looks fine .
2- you can use packet captures to trace the packets :
access-list capin permit ip host1 host2
access-list capin permit ip host2 host1
cap capin access-list capin interface inside
// to show the captures :
show cap capin
run the captures and see if the packets are leaving the ASA , and if you are getting a reply?
3- when the router sends the response back it will not pass through the ASA as it will see the 10 as a direclty connected network , by default the ASA randomize the ISN for TCP and also their will be an asymetric flow so you may need to :
- add a more specific route on the router to send the traffic through the ASA
- hide the 10 network behind the ASA with a dynamic pat rule on the ASA doing this the 172 network will see the 10 as coming from the ASA.
Hope that this helps .
MOhammad.
05-10-2012 08:15 AM
Mohammad,
Thanks for your response. These are great troubleshooting tips. I figured out the problem was with the internal router. It wasn't allowing traffic in one direction. It was configured as a gateway and not as a router. Once this was corrected things appear to be functioning just fine. Thanks again.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide