Networks Training

You are here: Home / Cisco ASA Firewall Configuration / Cisco ASA VPN Hairpinning Configuration Example

Cisco ASA VPN Hairpinning Configuration Example

Written By

EDIT:

My Book “Cisco ASA Firewall Fundamentals-3rd Edition” is now available on Amazon as Paperback physical book. MORE INFORMATION HERE

Some time ago a visitor of my website asked me to help him on a special Cisco ASA VPN configuration and thought about sharing it here to help other people as well.

The specific network scenario was the following:

The requirements of the network setup are:

  • Two sites connected with IPSEC Site-to-Site VPN over the Internet. Both sites using Cisco ASA firewalls (version 9.x or 8.4).
  • Site1 is the main headquarters site and Site2 is a remote branch site.
  • The LAN networks on each site communicate between them over the IPSEC VPN tunnel.
  • Hosts in Site1 (network 192.168.1.0/24) can access the Internet via the local Internet connection through ASA1.
  • Hosts in Site2 (network 192.168.2.0/24) can access the Internet ONLY through Site1 via the VPN tunnel. Although there is a local Internet connection on Site2, hosts are not allowed to access the Internet directly. They must come to Site1 (ASA1) over the VPN tunnel and then exit the same ASA1 firewall for accessing the Internet.
  • The situation of having VPN traffic entering and exiting the same ASA interface is called VPN Hairpinning (or “VPN on a stick”).

Scenarios like the above are useful in situations where you want to have centralized control of all Internet access (for hosts in the main site and for hosts in remote branch sites as well). You can implement content filtering, caching, virus protection etc on the central main site and have all the other sites use these centralized resources.

Some key points to have in mind in order to implement the scenario above are the following:

  • Since Site2 hosts (private IP addresses) are not allowed to access the Internet locally, you must not configure NAT on ASA2 for translating the private addresses to public. This will prevent them from accessing the Internet.
  • On ASA1, you will have traffic from Site2 entering and exiting the same interface (outside interface of firewall). To implement this you must enable “intra-interface” traffic on ASA1, so that traffic can enter and exit the same interface simultaneously. You can do this using the command “same-security-traffic permit intra-interface”.
  • On ASA1 you must perform PAT on traffic coming from Site2 so that it can access the internet via its outside interface.
  • The ACL used for VPN Interesting Traffic on ASA2 must allow 192.168.2.0 towards “any IP”. This is required so that Site2 can access Internet hosts through the VPN tunnel.
  • The ACL used for VPN Interesting Traffic on ASA1 must allow “any IP” towards 192.168.2.0. This is required so that returning traffic from Internet hosts can flow through the VPN tunnel towards Site2.
MORE READING:  Configuring site-to-site IPSEC VPN on ASA using IKEv2

Let’s now see the configuration on both ASA1 and ASA2.

Note: Only relevant configuration is shown.

ASA1

interface GigabitEthernet0
nameif outside
security-level 0
ip address 20.20.20.1 255.255.255.0
!
interface GigabitEthernet1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0

!Allow intra-interface traffic (to enter and exit same interface)

same-security-traffic permit intra-interface

!Configure required network objects

object network obj-local
subnet 192.168.1.0 255.255.255.0
object network obj-remote
subnet 192.168.2.0 255.255.255.0
object network internal-lan
subnet 192.168.1.0 255.255.255.0

!ACL for VPN Interesting Traffic. We allow any IP towards Site2

access-list VPN-ACL extended permit ip any 192.168.2.0 255.255.255.0

!NAT Exemption for VPN traffic between Site1 – Site2

nat (inside,outside) source static obj-local obj-local destination static obj-remote obj-remote

!Configure PAT for local LAN to access the Internet using ASA1 outside interface

object network internal-lan
nat (inside,outside) dynamic interface

!Configure PAT for remote Site2 LAN to access the Internet via ASA1 outside interface

object network obj-remote
nat (outside,outside) dynamic interface

!Configure Site-to-Site IPSEC VPN

crypto ipsec ikev1 transform-set TRSET esp-aes esp-md5-hmac
crypto map VPNMAP 10 match address VPN-ACL
crypto map VPNMAP 10 set peer 30.30.30.1
crypto map VPNMAP 10 set ikev1 transform-set TRSET
crypto map VPNMAP interface outside
crypto isakmp identity address
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
tunnel-group 30.30.30.1 type ipsec-l2l
tunnel-group 30.30.30.1 ipsec-attributes
ikev1 pre-shared-key cisco123

MORE READING:  Cisco ASA Firewall Version 9.0 Released

ASA2

interface GigabitEthernet0
nameif outside
security-level 0
ip address 30.30.30.1 255.255.255.0
!
interface GigabitEthernet1
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0

!Configure required network objects

object network obj-local
subnet 192.168.2.0 255.255.255.0
object network obj-remote
subnet 192.168.1.0 255.255.255.0

!ACL for VPN Interesting Traffic. We allow Site2 towards any IP.

access-list VPN-ACL extended permit ip 192.168.2.0 255.255.255.0 any

!NAT Exemption for VPN traffic between Site2 – Site1

nat (inside,outside) source static obj-local obj-local destination static obj-remote obj-remote

!Configure Site-to-Site IPSEC VPN

crypto ipsec ikev1 transform-set TRSET esp-aes esp-md5-hmac
crypto map VPNMAP 10 match address VPN-ACL
crypto map VPNMAP 10 set peer 20.20.20.1
crypto map VPNMAP 10 set ikev1 transform-set TRSET
crypto map VPNMAP interface outside
crypto isakmp identity address
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
tunnel-group 20.20.20.1 type ipsec-l2l
tunnel-group 20.20.20.1 ipsec-attributes
ikev1 pre-shared-key cisco123

EDIT:

My Book “Cisco ASA Firewall Fundamentals-3rd Edition” is now available on Amazon as Paperback physical book. MORE INFORMATION HERE

Related Posts

Filed Under: Cisco ASA Firewall Configuration

Download Free Cisco Commands Cheat Sheets

Enter your Email below to Download our Free Cisco Commands Cheat Sheets for Routers, Switches and ASA Firewalls.

We use Elastic Email as our marketing automation service. By submitting this form, you agree that the information you provide will be transferred to Elastic Email for processing in accordance with their Terms of Use and Privacy Policy. Also, you allow me to send you informational and marketing emails from time-to-time.

About Harris Andrea

Harris Andrea is an Engineer with more than two decades of professional experience in the fields of TCP/IP Networks, Information Security and I.T. Over the years he has acquired several professional certifications such as CCNA, CCNP, CEH, ECSA etc.

He is a self-published author of two books ("Cisco ASA Firewall Fundamentals" and "Cisco VPN Configuration Guide") which are available at Amazon and on this website as well.

Comments

  1. Tom Graham says

    Example does not work. The initial problem I see is that there is not route for the ASA1 to find 20.20.20.1 and ASA2 to find 30.30.30.1

    At minimum you need a default route at each site.

  2. BlogAdmin says

    Hi Tom,
    Thanks for your comment. The config shown is not the whole configuration. There is a Note also on the article above stating that “only relevant configuration is shown” . You are right that you always need a default route (when connected to Internet) which I haven’t included in the above configuration.

    In any case the example above works since I have tried it.

    Thanks again

    Harris

  3. Dominik D. says

    Nice, helped me a lot.
    However, and here is the kicker. Once I found your site, I still did not get it and spend another 2 hours looking for a working solution.
    The problem was that I did for some reason not see the (outside,outside) on the PAT for the outside interface, but instead was so used to use (inside,outside) there that I used that. And that of course was not working.

    Would you maybe consider somehow highlighting that part so other don’t make the same misstake :-)

    Otherwise great article and as I said, worked for me just fine.

  5. Emenike says

    Hallo Harris,
    Your website is a gift to those that know about it. I am very glad to have stumbled upon it and it has been very helpful to me. Your method of breaking down configurations are so good. You are amazing and I will make sure I buy you books to help me more in my pursuit of CCNP security which I just started recently. With your great tutorials I am making progress.

    Thanks alot and may God bless you.

    regards,
    Emenike

  6. Harris Andrea says

    Emenike,

    Thank you so much for your nice words. This gives me more strength to continue offering my knowledge to the networking community.

    Harris

  7. Raul says

    Hi Harris,

    Is this configuration include in any of your books. If so, which book is that because i’m interested in buying that book. Thanks.

    thanks

  8. Harris Andrea says

    Raul,

    This specific configuration is not included in my books. However, you will find many more special configurations in my books which you won’t find easily anywhere else :)

    Please let me know if you need anything.

    Harris

  9. CheekiBreeki says

    Hi Harris
    Just want to thank you for this clean and straightforward configuration.
    Just tested on my GNS lab and go straight into production for a very critical task in the next week.

    My family will thank you for time and headache saved!

    Regards

  13. Dylan says

    I am trying to get ASA2 to use ASA1 for internet access. However, the connection above doesn’t allow the routing to ASA1 for internet access. Rather, it is still dropping. The VPN is up though. Clients on ASA2 could access ASA1 resources but not internet.

    In conclusion, i want clients from ASA2 to route to ASA1 to use internet.

  14. Harris Andrea says

    The default routes on ASA1 and ASA2 must be pointing to the border router/gateway of each ASA device. Check also that your DNS resolution works on clients of ASA2.

  15. Dylan says

    Hi Harris,

    It is… already pointing to the border router/gateway.
    DNS is working fine and reachable too.

  17. Dylan says

    ASA1 (Main)

    IKEv1 SAs:

    Active SA: 2
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
    Total IKE SA: 2

    1 IKE Peer: b.b.b.b
    Type : L2L Role : responder
    Rekey : no State : MM_ACTIVE

    interface: outside-isp
    Crypto map tag: outside-isp_map, seq num: 2, local addr: a.a.a.a

    access-list outside-isp_cryptomap_2 extended permit ip host 172.217.160.99 10.11.0.0 255.255.0.0
    local ident (addr/mask/prot/port): (172.217.160.99/255.255.255.255/0/0)
    remote ident (addr/mask/prot/port): (10.11.0.0/255.255.0.0/0/0)
    current_peer: b.b.b.b

    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 180, #pkts decrypt: 180, #pkts verify: 180
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
    #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
    #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
    #TFC rcvd: 0, #TFC sent: 0
    #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
    #send errors: 0, #recv errors: 0

    local crypto endpt.: a.a.a.a/0, remote crypto endpt.: b.b.b.b/0
    path mtu 1500, ipsec overhead 74(44), media mtu 1500
    PMTU time remaining (sec): 0, DF policy: copy-df
    ICMP error validation: disabled, TFC packets: disabled
    current outbound spi: CB9968D5
    current inbound spi : 48B1DAD9

    inbound esp sas:
    spi: 0x48B1DAD9 (1219615449)
    transform: esp-aes esp-sha-hmac no compression
    in use settings ={L2L, Tunnel, IKEv1, }
    slot: 0, conn_id: 8470528, crypto-map: outside-isp_map
    sa timing: remaining key lifetime (kB/sec): (3914989/27995)
    IV size: 16 bytes
    replay detection support: Y
    Anti replay bitmap:
    0xFFFFFFFF 0xFFFFFFFF
    outbound esp sas:
    spi: 0xCB9968D5 (3415828693)
    transform: esp-aes esp-sha-hmac no compression
    in use settings ={L2L, Tunnel, IKEv1, }
    slot: 0, conn_id: 8470528, crypto-map: outside-isp_map
    sa timing: remaining key lifetime (kB/sec): (3915000/27995)
    IV size: 16 bytes
    replay detection support: Y
    Anti replay bitmap:
    0x00000000 0x00000001

    =====================================================

    ASA2 (Remote)
    IKEv1 SAs:

    Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
    Total IKE SA: 1

    1 IKE Peer: a.a.a.a
    Type : L2L Role : initiator
    Rekey : no State : MM_ACTIVE

    interface: outside-isp
    Crypto map tag: outside-isp_map0, seq num: 1, local addr: b.b.b.b

    access-list outside-isp_cryptomap_2 extended permit ip 10.10.0.0 255.255.0.0 host 172.217.160.99
    local ident (addr/mask/prot/port): (10.10.0.0/255.255.0.0/0/0)
    remote ident (addr/mask/prot/port): (172.217.160.99/255.255.255.255/0/0)
    current_peer: a.a.a.a

    #pkts encaps: 69, #pkts encrypt: 69, #pkts digest: 69
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 69, #pkts comp failed: 0, #pkts decomp failed: 0
    #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
    #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
    #TFC rcvd: 0, #TFC sent: 0
    #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
    #send errors: 0, #recv errors: 0

    local crypto endpt.: b.b.b.b/0, remote crypto endpt.: a.a.a.a/0
    path mtu 1500, ipsec overhead 74(44), media mtu 1500
    PMTU time remaining (sec): 0, DF policy: copy-df
    ICMP error validation: disabled, TFC packets: disabled
    current outbound spi: 48B1DAD9
    current inbound spi : CB9968D5

    inbound esp sas:
    spi: 0xCB9968D5 (3415828693)
    transform: esp-aes esp-sha-hmac no compression
    in use settings ={L2L, Tunnel, IKEv1, }
    slot: 0, conn_id: 1204224, crypto-map: outside-isp_map0
    sa timing: remaining key lifetime (kB/sec): (4374000/28549)
    IV size: 16 bytes
    replay detection support: Y
    Anti replay bitmap:
    0x00000000 0x00000001
    outbound esp sas:
    spi: 0x48B1DAD9 (1219615449)
    transform: esp-aes esp-sha-hmac no compression
    in use settings ={L2L, Tunnel, IKEv1, }
    slot: 0, conn_id: 1204224, crypto-map: outside-isp_map0
    sa timing: remaining key lifetime (kB/sec): (4373996/28549)
    IV size: 16 bytes
    replay detection support: Y
    Anti replay bitmap:
    0x00000000 0x00000001

  18. Harris Andrea says

    The problem seems to be the VPN ACL (outside-isp_cryptomap_2). You must have “any” in this ACL. Check the article where I mention this detail about the ACL for the “VPN interesting traffic”

  19. Dylan says

    Hi Harris,

    Thank you. I have amended it accordingly, however, it is still not working. The remote client in ASA2 still is unable to load the page nor ping any external websites.

  22. Andrej Maraklov says

    Hello

    Many Thanks for the good guidance, however if I put :

    object network OBJ-WIFI
    subnet 192.168.1.0 255.255.255.0

    object network WIFI-ANY
    subnet 0.0.0.0 0.0.0.0

    access-list ACL_EMP_L2L extended permit ip object OBJ-WIFI object WIFI-ANY

    or the same as you did in your example:

    access-list L2L_ACL extended permit ip 192.168.2.0 255.255.255.0 any

    the ASA stops responding immidiately on the outside and inside leg as well. I have to reload it to function properly.

    I started with the ASA 2 to configure.

    Many thanks

    Andrej Maraklov

  23. quyle says

    At asa 2, i can access to internet and lan’s asa 1 but both connection bad. I can’t send file to ASA 1, connect to internet slow

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

About Networks Training

We Provide Technical Tutorials and Configuration Examples about TCP/IP Networks with focus on Cisco Products and Technologies. This blog entails my own thoughts and ideas, which may not represent the thoughts of Cisco Systems Inc. This blog is NOT affiliated or endorsed by Cisco Systems Inc. All product names, logos and artwork are copyrights/trademarks of their respective owners.

Amazon Disclosure

As an Amazon Associate I earn from qualifying purchases.
Amazon and the Amazon logo are trademarks of Amazon.com, Inc. or its affiliates.

BLOGROLL

Tech21Century
Firewall.cx