Configuring Hairpin VPN with Double NAT on Cisco ASA 8.0

Purpose

The purpose of this article is to explain the configuration steps required in configuring a hairpinned VPN with double NAT on a Cisco ASA firewall (running 8.0).

Terms

Within this article there are 2 key terms that you will need to know. They are,

• Hairpinning (U-turn Traffic) – Hairpinning is a term to describe traffic that is routed out of the same interface from which it entered.
• Double NAT (Twice NAT) – Double NAT is a term used to describe the translation of both the source and destination address on a single traffic flow. Though not set in stone, your`ll “typically” find that the term Double NAT is used across the code base all the way up to 8.2. Whereas Twice NAT is typically used within the 8.3+ code base.

Example

Within this example we will send traffic from Site-A to Site-C via Site-B across 2 VPN`s. Site-B will translate both the source address and destination address before sending the traffic onto Site-C.

The IP/encryption domain details are :

Site-A to Site-B VPN

Site-B to Site-C VPN

To make things slightly more interesting this example has been built using the following platforms/versions,

• Site-A – Cisco ASA 8.4
• Site-B – Cisco ASA 8.0(4)28
• Site-C – Vyatta VC6.5R1

Topology

Below shows the topology for our example,

Configuration

Lets look at the configuration steps.

The configuration (VPN and NAT) for all 3 sites has been included. However, though the configuration is provided for all 3 sites, the core configuration resides on Site-B (due to Site-B performing both the hairpinning and the double NAT).

Site A (ASA 8.4)

On Site-A a standard site to site VPN is configured along with a NAT exemption.

VPN

tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 ipsec-attributes
 ikev1 pre-shared-key abc123

access-list ENCDOM100 extended permit ip host 192.168.10.1 host 172.16.30.1

crypto ipsec ikev1 transform-set ESP-3DES esp-3des esp-sha-hmac
crypto map outside 100 match address ENCDOM100
crypto map outside 100 set peer 2.2.2.2
crypto map outside 100 set ikev1 transform-set ESP-3DES
crypto map outside 100 set security-association lifetime seconds 86400
crypto map outside interface outside

crypto isakmp identity address
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption aes
hash md5
group 2
lifetime 86400

NAT

object-group network REMOTE-ENCDOM
 network-object host 172.16.30.1
object-group network LOCAL-ENCDOM
 network-object host 192.168.10.1

nat (inside,outside) source static LOCAL-ENCDOM LOCAL-ENCDOM destination static REMOTE-ENCDOM REMOTE-ENCDOM no-proxy-arp

Site B (ASA 8.0)

As previously mentioned the core of the configuration resides on Site-B. 2 x Site to Site VPN`s are configured, hairpinning enabled and then the double NAT is configured via 2 policy NATs.

VPN

tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
 pre-shared-key abc123
tunnel-group 3.3.3.3 type ipsec-l2l
tunnel-group 3.3.3.3 ipsec-attributes
 pre-shared-key abc123

access-list ENCDOM100 extended permit ip host 172.16.30.1 host 192.168.10.1
access-list ENCDOM101 extended permit ip host 2.2.2.20 host 192.168.30.1

crypto ipsec transform-set ESP-3DES esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto map outside 100 match address ENCDOM100
crypto map outside 100 set peer 1.1.1.1
crypto map outside 100 set transform-set ESP-3DES
crypto map outside 100 set security-association lifetime seconds 86400
crypto map outside 101 match address ENCDOM101
crypto map outside 101 set pfs
crypto map outside 101 set peer 3.3.3.3
crypto map outside 101 set transform-set ESP-3DES
crypto map outside 101 set security-association lifetime seconds 86400
crypto map outside interface outside

crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes
hash md5
group 2
lifetime 86400

Hairpin

To permit traffic flows that come in on an interface and is routed back out the same interface the following command is used,

same-security-traffic permit intra-interface

NAT

Finally we perform a double NAT on our traffic. This is achieved via 2 policy NATs. The first translates the source address, the 2nd translates the destination.

access-list POLICYNAT-1 extended permit ip host 192.168.10.1 host 172.16.30.1
static (outside,outside) 2.2.2.20 access-list POLICYNAT-1

access-list POLICYNAT-2 extended permit ip host 192.168.30.1 host 2.2.2.20
static (outside,outside) 172.16.30.1 access-list POLICYNAT-2

Lets look at this in some more detail,

• POLICYNAT-1 – Translates the source address.
  • • The NAT entry reads. When traffic destined for 172.16.30.1 with a source address of 192.168.10.1 hits the outside interface. The source address will be translated to 2.2.2.20.
• POLICYNAT-2 – Translates the destination address.
  • • As we want to NAT the destination when the source address is 2.2.2.20, POLICYNAT-2 reads slighty differently to the previous NAT statement. The NAT entry reads. When traffic is destined for 192.168.30.1 with a source IP of 2.2.2.20 on the outside interface translate the destination address to 192.168.30.1.

Note : You will need to ensure the NAT policies are ordered so that the source translation is first, followed by the destination. This is because of the NAT processing order.

Site C (Vyatta)

For Site C, again the configuration is pretty standard. A site to site VPN is built, and the NAT rules are configured to ensure NAT exemption.

VPN

set vpn ipsec esp-group ESP-POLICY lifetime '28800'
set vpn ipsec esp-group ESP-POLICY proposal 1 encryption '3des'
set vpn ipsec esp-group ESP-POLICY proposal 1 hash 'sha1'
set vpn ipsec ike-group IKE-POLICY lifetime '86400'
set vpn ipsec ike-group IKE-POLICY proposal 1 dh-group '2'
set vpn ipsec ike-group IKE-POLICY proposal 1 encryption 'aes128'
set vpn ipsec ike-group IKE-POLICY proposal 1 hash 'md5'

set vpn ipsec ipsec-interfaces interface ‘eth0’

set vpn ipsec site-to-site peer 2.2.2.2 authentication mode ‘pre-shared-secret’
set vpn ipsec site-to-site peer 2.2.2.2 authentication pre-shared-secret ‘abc123’
set vpn ipsec site-to-site peer 2.2.2.2 default-esp-group ‘ESP-POLICY’
set vpn ipsec site-to-site peer 2.2.2.2 ike-group ‘IKE-POLICY’
set vpn ipsec site-to-site peer 2.2.2.2 local-address ‘3.3.3.3’
set vpn ipsec site-to-site peer 2.2.2.2 tunnel 1 local prefix ‘192.168.30.1/32’
set vpn ipsec site-to-site peer 2.2.2.2 tunnel 1 remote prefix ‘2.2.2.20/32’

NAT

set nat source rule 10 destination address '192.168.30.1/32'
set nat source rule 10 'exclude'
set nat source rule 10 outbound-interface 'eth0'
set nat source rule 10 source address '2.2.2.20/32'
set nat source rule 20 destination address '2.2.2.20/32'
set nat source rule 20 'exclude'
set nat source rule 20 outbound-interface 'eth0'
set nat source rule 20 source address '192.168.30.1/32'

NAT Exemption

Problem

The main problem you may face when using policy NAT is when you already have NAT exemption (i.e no NAT) rules in place for the your traffic. This is an issue because NAT exemption is processed before any other type of NAT. Resulting in the policy NAT statements negated.

Workaround

To workaround this problem add a deny statement to your no NAT ACL so that the traffic negates the no NAT and the policy NAT is triggered.

access-list nonat deny ip host 192.168.10.1 host 172.16.30.1

Note :

• At the point you add the deny statement to your no NAT ACL, ensure that you also clear the relating xlate entries.
• Its also good to know that,
  • No NAT ACL`s can contain deny entries, but cannot contain ports/protocols.
  • Policy NAT ACLs cannot contain deny statements, but can contain ports/protocols.

• Author
• Recent Posts

Rick Donato

Rick Donato is a Network Automation Architect/Evangelist and the founder of Packet Coders.

Latest posts by Rick Donato (see all)

• How to Configure a BIND Server on Ubuntu - March 15, 2018
• What is a BGP Confederation? - March 6, 2018
• Cisco – What is BGP ORF (Outbound Route Filtering)? - March 5, 2018

Want to become an IT Security expert?

Here is our hand-picked selection of the best courses you can find online:
Internet Security Deep Dive course
Complete Cyber Security Course – Hackers Exposed
CompTIA Security+ (SY0-601) Certification Complete course
and our recommended certification practice exams:
AlphaPrep Practice Tests - Free Trial