|
||
| KB | 0000040 | |
| Dated | 01/07/2009 | |
| Revision | 0.01 | |
Cisco Firewall VPN "Hair Pinning" Note: Cisco refer to this as a "Spoke to Spoke VPN" |
||
| Problem | ||
You have multiple sites protected by Cisco Firewalls, you establish a remote connection VPN to one of your sites, but cannot get to the others.
|
||
| Solution | ||
Normally your remote workers will establish a VPN, with a VPN client (Though this principle will also work for remote users with a hardware firewall) In this example we will stick with a remote client using VPN Client software (either IPSEC version 3 or above VPN client or the AnyConnect SSL VPN Client).
In this example a remote VPN client (10.0.99.1) connects to the main site (10.0.0.0), This site has an existing site to site VPN to a remote site (10.0.3.0).
In normal operation the client can talk to the "File Server" (10.0.0.1), on the main site, BUT it cannot contact the "Web Server" (10.0.3.1), on the secondary site, to do that we need to employ "VPN Hair Pinning."
With a Hair Pinned VPN the original remote VPN will still work, but we can also send and receive traffic to the remote site over the same VPN. Pre Requisites 1. All firewalls must be Cisco ASA or PIX 500 Version 7 or above (Sorry no PIX 501's or 506E's). 2. The sites in question must already be connected by a site to site VPN. (Click Here) 3. There must be an existing working Remote VPN (Client to Gateway) VPN to the main Site. (Click Here)
Step 1: Add the Subnet of the Remote Site to the "Split Tunnel" for the remote VPN Note: This obviously assumes you are using split tunnelling, if not skip to step 2, if you don't know then ask yourself this "when I connect with the VPN client from home can I browse the internet at the same time on my remote PC?" - if the answer is yes then you probably are using split tunnelling). To find that out issue the following command, show run group-policy {enter} Sample output. MainSitel# sh run group-policy That tells us that split tunneling is enabled, and its using an access list called "Split-Tunnel" (It's almost like I set these things up neatly :) Now you know what the access list is called issue the following, command, show run access-list Split-Tunnel {enter} Sample output. MainSitel# show run access-list Split-Tunnel So now we can add the remote sites network to the existing split tunnel vpn, MainSitel#(config) access-list Split-Tunnel line 2 permit 10.0.3.0 255.255.255.0 {enter}
Step 2: Turn On Hair Pinning Issue the following command, MainSitel(config)# same-security-traffic permit intra-interface {enter}
Step 3: Add the "Remote VPN Network" to the EXISTING site to site VPN on the Main Site. To do this you need to add the "Pool" used for remote VPN access, to the ACL that the site to site VPN is using for the VPN, issue the following command (If you have a lot of VPN's look for the one that has the IP address of the ASA at the remote site (in the example below 123.123.123.123). MainSitel(config)# show run crypto map This tells us the access list that its using is called outside_19_cryptomap, lets see what that's doing, issue the following, show run access-list outside_19_cryptomap {enter} Sample Output. MainSitel# show run access-list outside_19_cryptomap So to add our remote VPN Pool do the following, MainSitel#(config) access-list outside_19_cryptomap line 2 permit ip 10.0.99.0 255.255.255.0 10.0.3.0 255.255.255.0 {enter} That's the config on the Main Site ASA Done - Don't forget to save the config with a "write mem" command!
Step 4: Add a NAT Exemption on the Remote Site ASA This is a NAT exemption on the existing site to site VPN, its basically saying don't NAT any traffic from my network going to the remote VPN Subnet, and once again its done with an ACL, so see what the ACL is issue the following command, show run nat {enter} Sample Output. RemoteSite# show run nat For the unititialted nat 0 means DONT NAT or NAT Exemption so this tells us the access-list doing the work is called inside_nat0_outbound, lets have a look at that, issue the following command, show run access-list inside_nat0_outbound {enter} Sample Output.
RemoteSite#(config) access-list inside_nat0_outbound line 2 permit ip 10.0.3.0 255.255.255.0 10.0.99.0 255.255.255.0 {enter} Step 5: Add the Remote VPN Pool to the EXISTING Site to Site VPN Access List. This is the exact mirror of what we did in step 3, so to locate the correct cryptomap once again issue the following command, show run crypto map {enter} Sample Output. Remote Site(config)# show run crypto map As before, if you have many VPN tunnels locate the one whose IP address matches the IP at the main site (In this example 234.234.234.234). So we now know that this cryptomap access-list is called outside_1_cryptomap, to see what that's doing issue the following command, show run access-list outside_1_cryptomap {enter} Sample Output. RemoteSite(config)# show run access-list outside_1_cryptomap So to add our Remote VPN Pool simply issue the following command, access-list outside_1_cryptomap line 2 permit ip 10.0.3.0 255.255.255.0 10.0.99.0 255.255.255.0 {enter} Job done, don't forget to save the changes with a "Write mem" Command! Testing Hair Pinning From the ClientUsing the IPSEC VPN Client When connected, if you open the VPN client software and select Statistics > Route Details > you should see the subnet of both the main site and the remote site listed as 'Secured Routes'
Using the AnyConnect VPN Client
|
||
If this post helped you, PLEASE take the time to +1 it.
Please be aware, all information is provided free, but it does cost me to have this site hosted, if I've helped you in any way, or saved you some time/cost please take time to make a donation. If you have anything to add to an article, or have an article you would like us to publish please feel free to contact PeteNetLive. (Please be aware I get a LOT of email, I cannot assist and fix everyone's problems, please do not be offended if you do not get a response). |
||
| References - Credits - Or External Links | ||
| PIX/ASA 7.x Enhanced Spoke-to-Spoke VPN Configuration Example | ||
