This
is sometimes also referred to as Nat Reflection (Nat Loop-back, Hair-pinning).
Nat reflection is not only specific to remote access VPN but there are several
other scenarios where this can be required.
AnyConnect Remote access VPN configurations with U-Turning:
To make the concept and the working of the VPN I used the Cisco
defined Image.
In this method, the all the client
traffic including internet traffic goes through Firewall.
To setup the Basic Firewall configurations please look into below
article.
https://arshad-it.blogspot.com/2017/07/how-to-set-up-basic-cisco-asa-firewall.html
https://arshad-it.blogspot.com/2017/07/how-to-set-up-basic-cisco-asa-firewall.html
I have configured the routing in such a way that vpn client can communicate with R3, R5, R4 and ASA outside interface but have no access to R2. R2 behaves as a router somewhere on the internet. But ASA have the reachability to R2.
When client will contact with
ASA through Anyconnect it should ping R2 through ASA internet which is proof of
Hair-pinning.
The route configured on all the devices can be seen below.
R
ip route 0.0.0.0 0.0.0.0
192.168.1.1
ASA
route outside 0.0.0.0
0.0.0.0 10.0.50.2 1
R4
ip route 10.0.10.0
255.255.255.0 10.0.30.2
ip route 10.0.20.0
255.255.255.0 10.0.30.2
ip route 10.0.40.0
255.255.255.0 10.0.30.2
R5
ip route 10.0.10.0
255.255.255.0 10.0.20.1
ip route 10.0.50.0
255.255.255.0 10.0.30.1
R2
ip route 0.0.0.0 0.0.0.0
10.0.40.2
R3
ip route 10.0.30.0
255.255.255.0 10.0.20.2
ip route 10.0.50.0
255.255.255.0 10.0.20.2
ASA > ping 10.0.40.1 = success
Let’s do VPN Configurations on ASA:>
ciscoasa(config)#same-security-traffic
permit intra-interface
ciscoasa(config)#ip local pool
vpnpool 192.168.10.1-192.168.10.254 mask 255.255.255.0
ciscoasa(config)#webvpn
ciscoasa(config-webvpn)#enable outside
ciscoasa(config-webvpn)#anyconnect image disk0:/anyconnect-win-3.1.05152-k9.pkg 1
ciscoasa(config-webvpn)#tunnel-group-list enable
ciscoasa(config-webvpn)#anyconnect enable
ciscoasa(config-webvpn)#enable outside
ciscoasa(config-webvpn)#anyconnect image disk0:/anyconnect-win-3.1.05152-k9.pkg 1
ciscoasa(config-webvpn)#tunnel-group-list enable
ciscoasa(config-webvpn)#anyconnect enable
ciscoasa(config)#group-policy
clientgroup internal
ciscoasa(config)#group-policyclientgroup attributes
ciscoasa(config-group-policy)#vpn-tunnel-protocol ssl-client
ciscoasa(config-group-policy)#split-tunnel-policy tunnelall
ciscoasa(config)#group-policyclientgroup attributes
ciscoasa(config-group-policy)#vpn-tunnel-protocol ssl-client
ciscoasa(config-group-policy)#split-tunnel-policy tunnelall
ciscoasa(config)#username
Babar password cisco
ciscoasa(config)#tunnel-group
sslgroup type remote-access
ciscoasa(config)#tunnel-group sslgroup general-attributes
ciscoasa(config-tunnel-general)#address-pool vpnpool
ciscoasa(config-tunnel-general)#default-group-policy clientgroup
ciscoasa(config-tunnel-general)#exit
ciscoasa(config)#tunnel-group sslgroup webvpn-attributes
ciscoasa(config-tunnel-webvpn)#group-alias sslgroup_users enable
ciscoasa(config)#tunnel-group sslgroup general-attributes
ciscoasa(config-tunnel-general)#address-pool vpnpool
ciscoasa(config-tunnel-general)#default-group-policy clientgroup
ciscoasa(config-tunnel-general)#exit
ciscoasa(config)#tunnel-group sslgroup webvpn-attributes
ciscoasa(config-tunnel-webvpn)#group-alias sslgroup_users enable
Try connecting to 10.0.50.1 on client using anyconnect and it
should connect. But ping 192.168.1.2 from client will not work because we have
not configured the NAT exemption yet.
object network NET_OBJ_192.168.1.0_24
subnet 192.168.1.0 255.255.255.0
subnet 192.168.1.0 255.255.255.0
object network NET_OBJ_192.168.10.0_24
subnet 192.168.10.0 255.255.255.0
subnet 192.168.10.0 255.255.255.0
nat (inside,outside) source static
NET_OBJ_192.168.1.0_24 NET_OBJ_192.168.1.0_24 destination static
NET_OBJ_192.168.10.0_24 NET_OBJ_192.168.10.0_24
Now Client can ping the 192.168.1.2. Both can ping to each other.
But client internet is stopped working. we need to add another nat entry
so that traffic that comes from the outside network can be translated with
outside IP address 10.0.50.1.
We can do that in 2 ways any of one can be used.
1. This is not recommended. when we disconnect the vpn and
ping ASA outside interface the ping not work as it translate the outside ip to
192.168.10.0. we can try in test environment before configuring it in the real
network because I faced this issue in IKev2 remote access VPN.
object network NET_OBJ_192.168.10.0_24
subnet 192.168.10.0 255.255.255.0
object network NET_OBJ_0.0.0.0_0
subnet 0.0.0.0 0.0.0.0
subnet 0.0.0.0 0.0.0.0
ciscoasa(config)#nat (outside,outside)
source static NET_OBJ_192.168.10.0_24 interface destination static
NET_OBJ_0.0.0.0_0 NET_OBJ_0.0.0.0_0
2. This is a recommended solution.
object network NET_OBJ_192.168.10.0_24
subnet 192.168.10.0 255.255.255.0
nat (outside,outside) dynamic interface
object network NET_OBJ_192.168.10.0_24
subnet 192.168.10.0 255.255.255.0
nat (outside,outside) dynamic interface
Client ping > 10.0.40.1 is working now mean client have
internet access through FW.
TIPS:
> We can use the ACL so only ACL specified networks can
communicate however it is not a requirement of the VPN.
> We changed the split tunnel policy to tunnelall
> We need another NAT entry to translate the oustide network to
10.0.50.1 that is ASA outside public ip.
>” same-security-traffic permit intra-interface" is
compulsory required in this VPN.
> Make sure to not copy the commands directly from the webpage to firewall. First copy the commands on the notepad read the command and type it manually on the Firewall.
> Make sure to not copy the commands directly from the webpage to firewall. First copy the commands on the notepad read the command and type it manually on the Firewall.
Note: I personally configured and tested
this lab and its working and the ASA version is 9.5(2).
---------------The END------------------
Thank you for the great article sir!
ReplyDelete