Solved: IOS AnyConnect Hairpin

jorkchristopher · ‎09-19-2012

Hello everyone!

So I'm running into some issues when trying to get remote AnyConnect users to hairpin. So we have servers that are out on the Internet and would only allow connections froms our HQ public subnet. What I want to have done, is have the remote user come into HQ using AnyConnect, and then get NAT'ed and hairpinned out to the Internet with our HQ IP which will allow the connection to establish. Below is the config that I've been playing around with. I tried to follow a Cisco doc (sorry I didn't provide the link) but still no luck. Let me know if anything needs to be cleared up.

ip local pool WEBVPN-POOL 10.0.100.5 10.0.100.254

ip access-list extended INET-NAT-ACL

permit ip 10.0.0.0 0.255.255.255 any

route-map INET-NAT-RM permit 10

match ip address INET-NAT-ACL

ip nat inside source route-map INET-NAT-RM interface Vlan100 overload

int loopback2

description SSL-VPN

ip address 10.0.100.1

ip nat inside

ip access-list extended VPN-INET-TRAFFIC

permit ip 10.0.100.0 0.0.0.255 5.5.5.0 0.0.0.255

route-map VPN-INET-TRAFFIC permit 10

match ip address VPN-INET-TRAFFIC

set ip next-hop 10.0.100.2

int Vlan100

description INET

ip policy route-map VPN-INET-TRAFFIC

ip nat outside

webvpn context HQ

policy group HQ-WEBVPN

svc split include 5.5.5.0 255.255.255.0

olpeleri · ‎09-19-2012

Hello Christopher,

U should not the use the old legacy sslvpn configuration.

Now the right way would be to use a virtual-template [ where you would configure nat inside]. Advantages are multiples:

you dont recirculate the packet within the router [ better perf].

you can add other ip services to the template [ acl - service policies -....]

More info at

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_sslvpn/configuration/15-2mt/sec-conn-sslvpn-ssl-vpn.html#GUID-CA99AAF5-6ABF-4C3D-ABF9-2F56B66D076C

Cheers,

Olivier - CCIE Security#20306

View solution in original post

Javier Portuguez · ‎09-19-2012

Hi Jork,

The configuration looks fine, let me ask you the following:

1- Is VLAN 100 the one facing the servers?

2- "debug ip icmp", what does it show you?

3- Do you see hits in the route-map (show route-map VPN-INET-TRAFFIC)?

Let me know.

Portu.

olpeleri · ‎09-19-2012

Hello Christopher,

U should not the use the old legacy sslvpn configuration.

Now the right way would be to use a virtual-template [ where you would configure nat inside]. Advantages are multiples:

you dont recirculate the packet within the router [ better perf].

you can add other ip services to the template [ acl - service policies -....]

More info at

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_sslvpn/configuration/15-2mt/sec-conn-sslvpn-ssl-vpn.html#GUID-CA99AAF5-6ABF-4C3D-ABF9-2F56B66D076C

Cheers,

Olivier - CCIE Security#20306

Javier Portuguez · ‎09-20-2012

Hi,

I agreed with Olivier.

I have not had the chance to try this configuration, but I think it should work for IPsec clients. It would be better if you update the AnyConnect settings as mentioned by Olivier.

Thanks.

jorkchristopher · ‎09-20-2012

Hi Oliver!

Looks like I'm headed in the right direction with your advice. I still can't get it to work though. What I have done is created a virtual-template and use loopback2 as the unnumbered ip, and configured "ip nat inside" on the virtual template. I will then add it to the webvpn context. So when I'm testing by SSH'ing to a public switch of ours, I see the router creates a NAT entry from the VPN subnet to the outside IP address. I run SSH debugs on the switch and that traffic nevers gets there for whatever reason. On top of that, I cant access the internal LAN even after doing a no-nat. This was working before, but will not work after the changes. Below in the config:

ip nat inside source route-map INET-NAT-RM interface Vlan100 overload

ip access-list extended INET-NAT-ACL

deny ip 10.0.1.0 0.0.0.255 10.0.100.0 0.0.0.255 (10.0.1.0 is a LAN subnet)

permit ip 10.0.0.0 0.255.255.255 any

interface Virtual-Access2

description ***Internally created by SSLVPN context HQ***

mtu 1406

ip nat inside

ip virtual-reassembly in

end

interface Virtual-Template2

ip unnumbered loopback2

ip nat inside

ip virtual-reassembly in

end

webvpn context HQ

virtual-template 2

My question is what would be the preffered interface to use as the unnumbered ip? And does the "ip nat inside" go under the virtual-template and/or the loopback?

Thanks for the help!

Javier Portuguez · ‎09-20-2012

Hi Jork,

NAT should be applied to the Virtual-template.

"ip unnumbered" allows you to enable IP processing on the Virtual-template without assigning it an explicit IP address. It "borrows" the IP address of another interface already configured on the router, in this case the loopback, which conserves network and address space.

The loopback is fine as the ip unnumbered interface.

Thanks.

Portu.

Please rate any post you find helpful.

olpeleri · ‎09-21-2012

Wierd.

1- How does it looks like [ show log?] Do we see a virtual-access interface created?

2- If you apply an acl outbound on the interface towards the ssh server, do we see the traffic out?

3- What version do you run?

4- Is there any output if you enable debug ip cef drops?