The Cisco ASA firewall doesn’t like traffic that enters and exits the same interface. This behavior is typically known as “hairpin” or “u-turn”. Sometimes however we need our ASA to permit this kind of traffic. Here’s an example:
Above we have an ASA firewall on the left side, there’s a remote VPN uses that connects to our firewall. This remote VPN user is not using split horizon so all traffic is being tunneled to the ASA. Let’s say this user wants to reach some webserver (220.127.116.11) on the Internet behind R2.
Here’s what our traffic pattern will look like:
Our traffic will enter the ASA on its outside Gigabit 0/0 interface and exits the same interface. By default, the ASA will drop this traffic. The second issue with this setup is that the source IP address will be from the 192.168.10.0/24 subnet. Since this is a private range, R2 will drop the traffic when it has to be routed to the Internet.
Let’s see what we have to do to fix this issue…
Want to take a look for yourself? Here you will find the startup configuration of each device.
hostname R2 ! interface Loopback0 ip address 18.104.22.168 255.255.255.255 ! interface GigabitEthernet0/1 ip address 192.168.2.2 255.255.255.0 duplex auto speed auto media-type rj45 ! ip http server ! end
hostname ASA1 ! ip local pool VPN_POOL 192.168.10.100-192.168.10.200 ! interface GigabitEthernet0/1 nameif INSIDE security-level 100 ip address 192.168.1.254 255.255.255.0 ! ftp mode passive object network VPN_POOL subnet 192.168.10.0 255.255.255.0 ! route OUTSIDE 0.0.0.0 0.0.0.0 192.168.2.2 1 ! crypto ipsec ikev1 transform-set MY_TRANSFORM_SET esp-aes esp-sha-hmac crypto ipsec security-association pmtu-aging infinite crypto dynamic-map MY_DYNA_MAP 10 set ikev1 transform-set MY_TRANSFORM_SET crypto map MY_CRYPTO_MAP 10 ipsec-isakmp dynamic MY_DYNA_MAP crypto map MY_CRYPTO_MAP interface OUTSIDE crypto isakmp identity address crypto ikev1 enable OUTSIDE crypto ikev1 policy 10 authentication pre-share encryption aes hash sha group 2 lifetime 86400 ! group-policy VPN_POLICY internal group-policy VPN_POLICY attributes vpn-idle-timeout 15 dynamic-access-policy-record DfltAccessPolicy username VPN_USER password E5PbZWWQ.j3bJJHz encrypted tunnel-group MY_TUNNEL type remote-access tunnel-group MY_TUNNEL general-attributes address-pool VPN_POOL default-group-policy VPN_POLICY tunnel-group MY_TUNNEL ipsec-attributes ikev1 pre-shared-key ***** ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 policy-map global_policy class inspection_default inspect ip-options inspect netbios inspect rtsp inspect sunrpc inspect tftp inspect xdmcp inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect esmtp inspect sqlnet inspect sip inspect skinny inspect icmp policy-map type inspect dns migrated_dns_map_1 parameters message-length maximum client auto message-length maximum 512 ! service-policy global_policy global ! : end
Let’s take a look at the configuration…
There are two things we have to fix here:
- We need to configure the ASA to permit traffic that enters and exits the same interface.
- Traffic from the 192.168.10.0/24 subnet has to be NAT translated.
Before we make any changes, let’s try a ping from our remote VPN user:
C:\Users\H1>ping 22.214.171.124 Pinging 126.96.36.199 with 32 bytes of data: Request timed out. Request timed out. Request timed out. Request timed out. Ping statistics for 188.8.131.52: Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
As expected these pings are failing. Let’s configure the ASA to permit traffic that enters and exits the same interface:
ASA1(config)# same-security-traffic permit intra-interface
The command above will allow the traffic to be routed. The second thing to do is to configure a NAT rule: