Remote-access Guide

cisco asa remote access vpn hairpinning

by Prof. Otto Harvey Published 2 years ago Updated 2 years ago
image

The ASA includes a feature that lets a VPN client send IPsec-protected traffic to another VPN user by allowing such traffic in and out of the same interface. Also called “hairpinning”, this feature can be thought of as VPN spokes (clients) connecting through a VPN hub (ASA).

Cisco ASA VPN Hairpinning Configuration Example
  1. EDIT:
  2. Allow intra-interface traffic (to enter and exit same interface)
  3. Configure required network objects.
  4. ACL for VPN Interesting Traffic. ...
  5. NAT Exemption for VPN traffic between Site1 – Site2.
  6. Configure PAT for local LAN to access the Internet using ASA1 outside interface.

Full Answer

What is hairpin in Cisco ASA?

Cisco ASA Hairpin Remote VPN Users The Cisco ASA firewall doesn’t like traffic that enters and exits the same interface. This behavior is typically known as “hairpin” or “u-turn”. Sometimes however we need our ASA to permit this kind of traffic.

How to configure Cisco AnyConnect VPN on ASA?

Choose Configuration > Remote Access VPN > Network (Client) Access > Anyconnect Client Software > Add in order to add the Cisco AnyConnect VPN client image from the flash memory of ASA as shown. Configure Group Policy.

What is VPN hairpinning (VPN on a stick)?

They must come to Site1 (ASA1) over the VPN tunnel and then exit the same ASA1 firewall for accessing the Internet. The situation of having VPN traffic entering and exiting the same ASA interface is called VPN Hairpinning (or “ VPN on a stick ”).

How to configure the hairpin Nat in AnyConnect?

If the Anyconnect client traffic tries to reach an external site (such as google.com) the hairpin NAT (or U-turn) is responsible to route the traffic from outside to outside. A VPN pool object must be created before the NAT configuration. 1. Create a new NAT statement, select Auto NAT Rule in the NAT Rule field and select Dynamic as the NAT Type.

image

What is Hairpinning in VPN?

Hairpin and split tunnel VPN - Cisco Tutorial A hairpin connection is when traffic enters a gateway and the device immediately reroutes the traffic to the internet or another company site, such as in a hub and spoke configuration. We call this configuration hairpin becomes the traffic pattern resembles a hairpin.

What is Hairpinning Cisco ASA?

Hairpinning (U-turn Traffic): Hairpinning is a term to describe traffic that is routed out of the same interface from which it entered. Requirements: Cisco ASA firewall running 8.3 code or above.

What is Sysopt connection permit VPN?

The sysopt connection permit-vpn command allows all the traffic that enters the security appliance through a VPN tunnel to bypass interface access lists, while a vpn-filter is applied to postdecrypted traffic after it exits a tunnel and to preencrypted traffic before it enters a tunnel.

Does Cisco AnyConnect route all traffic?

With AnyConnect, the client passes traffic to all sites specified in the split tunneling policy you configured, and to all sites that fall within the same subnet as the IP address assigned by the ASA. For example, if the IP address assigned by the ASA is 10.1.

What is NAT Hairpinning?

NAT hairpinning is a useful technique for accessing an internal server using a public IP. In order to ensure that the flow occurs properly: Both the source and destination IP addresses need to be modified so each device sees the traffic flowing to and from the correct locations.

How do I set up NAT reflection?

To fully activate the feature, check both Enable NAT Reflection for 1:1 NAT and Enable automatic outbound NAT for Reflection....To enable NAT Reflection globally:Navigate to System > Advanced on the Firewall & NAT.Locate the Network Address Translation section of the page.Configure the NAT Reflection options as follows:

Does Cisco AnyConnect have split tunneling?

This configuration allows the client secure access to corporate resources via SSL while giving unsecured access to the Internet using split tunneling. (anyconnect-win*. pkg) from the Cisco Software Download (registered customers only) .

Does Cisco AnyConnect allow split tunneling?

Dynamic Split Tunnel Include AnyConnect will send only the domains listed in the configuration over the secure vpn tunnel and all other traffic will be sent in the clear.

What is split include?

A split tunnel configured to only tunnel traffic destined to a specific set of destinations is called a split-include tunnel. When configured to accept all traffic except traffic destined to a specific set of destinations, it is called a split-exclude tunnel.

Why do we need to configure ASA?

We need to configure the ASA to permit traffic that enters and exits the same interface.

Does Cisco ASA firewall allow hairpin traffic?

The Cisco ASA firewall doesn’t like traffic that enters and exits the same interface. This behavior is typically known as “hairpin” or “u-turn”. Sometimes however we need our ASA to permit this kind of traffic. Here’s an example:

How to remote access VPN?

Based on the previous steps, the Remote Access Wizard can be followed accordingly. 1. Navigate to Devices > VPN > Remote Access. 2. Assign the name of the Remote Access policy and select an FTD device from the Available Devices. 3.

What extension to save profile name?

Note: Save the profile with an easily identifiable name with a .xml extension.

How to create XML profile?

1. Download the Profile Editor tool from Cisco.com and run the application. 2. In the Profile Editor application, navigate to Server List and select Add as shown in the image. 3. Assign a Display Name, Fully Qualified Domain Name (FQDN) or IP Address and select OK as shown in the image.

What is NAT exemption?

The NAT exemption is a preferred translation method used to prevent traffic to be routed to the internet when it is intended to flow over a VPN tunnel (Remote Access or Site-to-Site).

Why do certificates have a CN extension?

Additionally, the certificate must contain a Common Name (CN) extension with DNS name and/or IP address in order to avoid "Untrusted server certificate" errors in web browsers.

What is a translation method that allows the traffic to flow over the same interface that is received on?

Also known as U-turn, this is a translation method that allows the traffic to flow over the same interface that is received on.

Does AnyConnect support RSA?

Certificates are essential when you configure AnyConnect. Only RSA based certificates are supported for SSL and IPSec.

How to enable SSL VPN on Cisco AnyConnect?

Choose Configuration > Remote Access VPN > Network (Client) Access > SSL VPN Connection Profiles and under Access Interfaces , click the check boxes Allow Access and Enable DTLS for the outside interface. Also, check the Enable Cisco AnyConnect VPN Client or legacy SSL VPN Client access on the interface selected in the table below check box in order to enable SSL VPN on the outside interface.

What is hub and spoke VPN?

For example, if you have a hub-and-spoke VPN network where the security appliance is the hub and the remote VPN networks are spokes, in order for one spoke to communicate with another spoke traffic must go to the security appliance and then out again to the other spoke.

What is Cisco AnyConnect VPN?

The Cisco AnyConnect VPN Client provides secure SSL connections to the security appliance for remote users. Without a previously installed client, remote users enter the IP address in their browser of an interface configured to accept SSL VPN connections. Unless the security appliance is configured to redirect http:// requests to https://, users must enter the URL in the form https://<address>.

How to add NAT rule to Anyconnect?

Choose Configuration > Firewall > NAT Rules > Add NAT Rule Before "Network Object" NAT Rules so the traffic that comes from the outside network (Anyconect Pool) and it's destined to another Anyconnect Client from the same pool does not get translated with outside IP address 172.16.1.1.

What does the security appliance do when a client is authenticated?

In the case of a previously installed client, when the user authenticates, the security appliance examines the revision of the client and upgrades the client as necessary.

How does a security appliance download client?

The security appliance downloads the client based on the group policy or username attributes of the user that establishes the connection. You can configure the security appliance to automatically download the client, or you can configure it to prompt the remote user about whether to download the client. In the latter case, if the user does not respond, you can configure the security appliance to either download the client after a timeout period or present the login page.

Why assign a completely different pool of IP addresses to the VPN Client?

Note: In order to avoid an overlap of IP addresses in the network , assign a completely different pool of IP addresses to the VPN Client (for example, 10.x.x.x , 172.16.x.x, and 192.168.x.x). This IP addressing scheme is helpful in order to troubleshoot your network.

What is the traffic pattern called in Cisco ASA?

The Cisco ASA firewall doesn’t like traffic that enters and exits the same interface. This kind of traffic pattern is called hairpinning or u-turn traffic.

What is the IP address of ASA?

Above we have a webserver using IP address 192.168.1.2 on our internal LAN. The ASA is configured so that IP address 192.168.2.220 on the outside is translated to IP address 192.168.1.2. This allows users on the Internet to access our webserver.

What command to get ipsec hairpinning working?

For ipsec hairpinning on an ASA the command to get this working is 'same-security-traffic permit intra-interface' .

Do you need a proxy for Dissidente?

Dissidente, you need some type of proxy. I would suggest you setup a work station or server that you and your developer can RDP/VNC/etc into and from it be able to access the hosting site.

Can you split tunnel with hair pin?

You can do split tunnel w/ hair pinning from the ASA . In order to do this, you need to be running at least software version 8.x+ , preferable 8.2.x. Version 8.3 requires a memory upgrade on the ASA.

Does hair pin work with VPN?

1. Hair pinning only works to allow you to go from one vpn tunnel to another from an ASA. No vpn tunnels are configured here between their office and the hosting company. At least none mentioned. That and no way to lock this down to just a couple profiles, its an all or nothing configuration.

Why does ASA change NAT?

Why? After version 8.3 the ASA changed the way it handles NAT, because of this, if the main site is running an OS NEWER than 8.3, you need to add a NAT exemption. This will apply to traffic going from the remote VPN pool to the remote sites subnet. We can reuse the OBJ-REMOTE-VPN-CLIENTS object, (we created above,) to do this. Also (above) we found out the subnet at the remote site is already defined in an abject called OBJ-RemoteSite, so I’ll reuse that also.

How to see the main site and subnets of a VPN?

When connected, if you open the VPN client software and select > Details > Route Details. Then you should see both the main site, and the remote site subnets.

How to see the subnet of a VPN?

When connected, if you open the VPN client software and select Statistics > Route Details > you should see the subnet of both the main site and the remote site listed as ‘Secured Routes’

Does hair pin VPN work?

With a Hair Pinned VPN the original remote VPN will still work, but we can also send and receive traffic to the remote site, over the same VPN.

image

Introduction

Prerequisites

  • Requirements
    Cisco recommends that you have knowledge of these topics: 1. Basic remote access VPN, Secure Sockets Layer (SSL) and Internet Key Exchange version 2 (IKEv2) knowledge 2. Basic Authentication, Authorization, and Accounting (AAA) and RADIUS knowledge 3. Basic FMC kno…
  • Components Used
    The information in this document is based on these software and hardware versions: 1. Cisco FMC 6.4 2. Cisco FTD 6.3 3. AnyConnect 4.7 The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a …
See more on cisco.com

Background Information

  • This document is intended to cover the configuration on FTD devices, if you seek for the ASA configuration example, please refer to the document: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/100918-asa-sslvpn-00.html Limitations: Currently, these features are unsup…
See more on cisco.com

Nat Exemption and Hairpin

  • Step 1. NAT Exemption Configuration
    TheNAT exemptionis a preferred translation method used to prevent traffic to be routed to the internet when it is intended to flow over a VPN tunnel (Remote Access or Site-to-Site). This is needed when the traffic from your internal network is intended to flow over the tunnels without a…
  • Step 2. Hairpin Configuration
    Also known as U-turn, this is a translation method that allows the traffic to flow over the same interface the traffic is received on. For example, when Anyconnect is configured with a Full tunnelsplit-tunnel policy, the internal resources are accessed as per the NAT Exemption policy. I…
See more on cisco.com

Verify

  • Use this section to confirm that your configuration works properly. Run these commands in the FTD's command line. 1. sh crypto ca certificates 2. show running-config ip local pool 3. show running-config webvpn 4. show running-config tunnel-group 5. show running-config group-policy 6. show running-config ssl 7. show running-config nat
See more on cisco.com

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z 1 2 3 4 5 6 7 8 9