Hairpinning VPN and Internet With NAT In ASA 8.2

Over the past few months, I have received a few requests regarding hairpin scenarios and the ASA. Some time back, I provided a scenario that deals with hairpinning (also known as U-Turn) traffic between two VPN spokes in a typical ASA environment. In another article, I provided an IOS example of hairpinning traffic between a VPN spoke and the Internet. This article simply provides a commented solution to the challenge of routing Internet bound traffic through an ASA based VPN. In this article, the ASA is running version 8.2 of the operating system. In a future article, I will migrate and test a similar configuration using an ASA running 8.4.

ASA Hairpin VPN to Internet

Based on the above diagram, our challenges are as follows:

  • Allow “InsideRTR” access to the Internet (192.0.2.254) using PAT
  • Require Encryption Between 192.168.1.0/24 and 10.2.2.0/24
  • Encrypt Traffic from VPNRTR to Internet Destinations (0.0.0.0/0) via the Firewall
  • Allow 10.2.2.0/24 to utilize the same PAT Process as “InsideRTR”

Router Configurations

InsideRTR

hostname InsideRTR
!
interface FastEthernet0/0
 ip address 192.168.1.5 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 192.168.1.1

InetRTR

hostname InetRTR
!
//using dot1q to a switch (not shown)
interface FastEthernet0/0
 ip address 192.0.2.1 255.255.255.252
!
interface FastEthernet0/0.6
 ip address 192.0.2.6 255.255.255.252
!
interface FastEthernet0/0.10
 ip address 192.0.2.10 255.255.255.252
!
ip route 192.0.2.252 255.255.255.252 192.0.2.9

CustRTR

hostname CustRTR
!
interface Loopback0
 ip address 192.0.2.254 255.255.255.252
!
interface FastEthernet0/0
 ip address 192.0.2.9 255.255.255.252
!
ip route 0.0.0.0 0.0.0.0 192.0.2.10

VPNRTR–All Loopback Sourced Traffic Will Go through VPN

hostname VPNRTR
!
//begin IKE phase 1 configuration
crypto isakmp policy 10
 encr aes
 authentication pre-share
crypto isakmp key cisco address 192.0.2.2
!
//begin IKE phase 2 configuration
crypto ipsec transform-set MYSET esp-aes esp-sha-hmac 
!
//Crypto ACL (all loopback traffic through VPN)
ip access-list extended VPN
 permit ip 10.2.2.0 0.0.0.255 any
!
crypto map MYMAP 10 ipsec-isakmp 
 set peer 192.0.2.2
 set transform-set MYSET 
 match address VPN
!
interface Loopback0
 ip address 10.2.2.2 255.255.255.0
!
//physical interface with crypto policy attached
interface FastEthernet0/0
 ip address 192.0.2.5 255.255.255.252
 crypto map MYMAP
!
ip route 0.0.0.0 0.0.0.0 192.0.2.6

ASA VPN, PAT and Hairpin Configuration

//ASA5505 so it uses VLANs and Integrated Switch
hostname ASA
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
...

interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 192.0.2.2 255.255.255.252
...
route outside 0.0.0.0 0.0.0.0 192.0.2.1 1

//VPN Configuration (all traffic to 10.2.2.x)

access-list VPN extended permit ip any 10.2.2.0 255.255.255.0
!
tunnel-group 192.0.2.5 type ipsec-l2l
tunnel-group 192.0.2.5 ipsec-attributes
 pre-shared-key cisco
!
crypto ipsec transform-set MYSET esp-aes esp-sha-hmac 
crypto map MYMAP 10 match address VPN
crypto map MYMAP 10 set peer 192.0.2.5 
crypto map MYMAP 10 set transform-set MYSET
crypto map MYMAP 10 set reverse-route
crypto map MYMAP interface outside
!
crypto isakmp identity address 
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption aes
 hash sha     
 group 1      
 lifetime 86400
!
//NAT Configuration

//exempt internal to 10.2.2.x from NAT, PAT other traffic
access-list NONAT extended permit ip 192.168.1.0 255.255.255.0 10.2.2.0 255.255.255.0 
nat (inside) 0 access-list NONAT
nat (inside) 1 0.0.0.0 0.0.0.0

//pat the outside traffic that comes from 10.2.2.x
!
nat (outside) 1 10.2.2.0 255.255.255.0

//use the interface for Port Address Translation
global (outside) 1 interface

//allow traffic to hairpin on the interface
same-security-traffic permit intra-interface

Test VPN to Internet Hairpinning

VPNRTR

//enable "debug ip icmp" on CustRTR
//test with traffic that shouldn't be encrypted
VPNRTR#ping 192.0.2.254                  

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.0.2.254, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/40/52 ms

//test with traffic that should be hairpinned and use ASA PAT
VPNRTR#ping 192.0.2.254 source loopback 0

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.0.2.254, timeout is 2 seconds:
Packet sent with a source address of 10.2.2.2 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 32/40/44 ms

CustRTR Output

//debug already enabled prior to test
CustRTR#debug ip icmp 
ICMP packet debugging is on

//test traffic
//traffic that was direct (notice 192.0.2.5)
*Mar  1 01:28:19.987: ICMP: echo reply sent, src 192.0.2.254, dst 192.0.2.5
*Mar  1 01:28:20.031: ICMP: echo reply sent, src 192.0.2.254, dst 192.0.2.5
*Mar  1 01:28:20.071: ICMP: echo reply sent, src 192.0.2.254, dst 192.0.2.5
*Mar  1 01:28:20.115: ICMP: echo reply sent, src 192.0.2.254, dst 192.0.2.5
*Mar  1 01:28:20.155: ICMP: echo reply sent, src 192.0.2.254, dst 192.0.2.5

//traffic that was hairpinned (notice 192.0.2.2)
*Mar  1 01:28:34.479: ICMP: echo reply sent, src 192.0.2.254, dst 192.0.2.2
*Mar  1 01:28:34.503: ICMP: echo reply sent, src 192.0.2.254, dst 192.0.2.2
*Mar  1 01:28:34.543: ICMP: echo reply sent, src 192.0.2.254, dst 192.0.2.2
*Mar  1 01:28:34.591: ICMP: echo reply sent, src 192.0.2.254, dst 192.0.2.2
*Mar  1 01:28:34.635: ICMP: echo reply sent, src 192.0.2.254, dst 192.0.2.2

I should make a couple of points this article for anyone who is looking into this. First, just because we can do this doesn’t mean we should. I very rarely find that making a configuration unnecessarily complex is beneficial. These, and other complex configurations, are really good exercises to understand how ASAs function and process traffic flows. For anyone that does find a beneficial use case for hairpinning, I recommend carefully labbing the initial configuration as well as future modifications.

No related content found.

About Paul Stewart, CCIE 26009 (Security)

Paul is a Network and Security Engineer, Trainer and Blogger who enjoys understanding how things really work. With over 15 years of experience in the technology industry, Paul has helped many organizations build, maintain and secure their networks and systems.
This entry was posted in How-To and tagged . Bookmark the permalink.

5 Responses to Hairpinning VPN and Internet With NAT In ASA 8.2

  1. will says:

    Great article. I’ll ref when needed!

    My main use case is an internet firewall that is also the client vpn firewall with split tunneling disabled.

  2. Anand Solgama says:

    nat (outside) 1 10.2.2.0 255.255.255.0

    Hi,

    What is use of above command can u please explain me. I have tried in your post for 8.04 as well but can not understand and yes why that hair pin use in that …haven’t seen before.

    Thanks

    • Paul Stewart says:

      The reason for that is to allow the client network (emulated as Loopback0 on VPNRTR), access to NAT process on the ASA. If the command were missing, the ASA would hairpin the traffic from 10.2.2.x to internet destinations, but the RFC1918 address would remain. That would prevent the three way handshake from working and break the communications. “nat (outside0 1 10.2.2.2.0 255.255.255.0” specifically allows clients on the 10.2.2.0/24 network access to the global 1 process (which is PAT on the interface). If the NAT were being performed elsewhere, or not required at all, this command would be unnecessary. Thanks for the question.

      • Anand Solgama says:

        Thanks paul so in short it is necessary to translate 10.2.2.X for CUST RTR which is coming not from ASA inside interface but from VPNRTR.

        So,that VPNRTR come to ASA with 10.2.2.X and go with translated(outside address) from ASA towords CUST.

      • Paul Stewart says:

        Exactly. That may not always be required with a hairpin configuration. However I provided the example for the cases that hairpin and Internet NAT were required on the same device.

Comments are closed.