fir3net
PPS-Firenetbanner-780.5x190-30-03-17
  • Home
  • Articles
  • Firewalls
  • Cisco
  • Configuring a Hairpin VPN with Double NAT on a Cisco ASA running 8.0

Configuring a Hairpin VPN with Double NAT on a Cisco ASA running 8.0

Contents[Hide]

Purpose

The purpose of this article is to explain the configuration steps required in configuring a hairpinned VPN with double NAT on a Cisco ASA firewall (running 8.0).

Terms

Within this article there are 2 key terms that you will need to know. They are,

  • Hairpinning (U-turn Traffic) - Hairpinning is a term to describe traffic that is routed out of the same interface from which it entered.
  • Double NAT (Twice NAT) - Double NAT is a term used to describe the translation of both the source and destination address on a single traffic flow. Though not set in stone, your`ll "typically" find that the term Double NAT is used across the code base all the way up to 8.2. Whereas Twice NAT is typically used within the 8.3+ code base.  

Example

Within this example we will send traffic from Site-A to Site-C via Site-B across 2 VPN`s. Site-B will translate both the source address and destination address before sending the traffic onto Site-C.

The IP/encryption domain details are :

Site-A to Site-B VPN

PEER PEER IP LOCAL ENDPOINT REMOTE ENDPOINT
Site-A 1.1.1.1 192.168.10.1/32 172.16.30.1/32
Site-B 2.2.2.2 172.16.30.1/32 192.168.10.1/32

Site-B to Site-C VPN

PEER PEER IP LOCAL ENDPOINT REMOTE ENDPOINT
Site-B 2.2.2.2 2.2.2.20/32 192.168.30.1/32
Site-C 3.3.3.3 192.168.30.1/32 2.2.2.20/32

To make things slightly more interesting this example has been built using the following platforms/versions,

  • Site-A - Cisco ASA 8.4
  • Site-B - Cisco ASA 8.0(4)28
  • Site-C - Vyatta VC6.5R1

Topology

Below shows the topology for our example,

Configuration

Lets look at the configuration steps.

The configuration (VPN and NAT) for all 3 sites has been included. However, though the configuration is provided for all 3 sites, the core configuration resides on Site-B (due to Site-B performing both the hairpinning and the double NAT).

Site A (ASA 8.4)

On Site-A a standard site to site VPN is configured along with a NAT exemption. 

VPN

tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 ipsec-attributes
 ikev1 pre-shared-key abc123

access-list ENCDOM100 extended permit ip host 192.168.10.1 host 172.16.30.1

crypto ipsec ikev1 transform-set ESP-3DES esp-3des esp-sha-hmac
crypto map outside 100 match address ENCDOM100
crypto map outside 100 set peer 2.2.2.2
crypto map outside 100 set ikev1 transform-set ESP-3DES
crypto map outside 100 set security-association lifetime seconds 86400
crypto map outside interface outside

crypto isakmp identity address
crypto ikev1 enable outside
crypto ikev1 policy 10
 authentication pre-share
 encryption aes
 hash md5
 group 2
 lifetime 86400

NAT

object-group network REMOTE-ENCDOM
 network-object host 172.16.30.1
object-group network LOCAL-ENCDOM
 network-object host 192.168.10.1

nat (inside,outside) source static LOCAL-ENCDOM LOCAL-ENCDOM destination static REMOTE-ENCDOM REMOTE-ENCDOM no-proxy-arp

Site B (ASA 8.0)

As previously mentioned the core of the configuration resides on Site-B. 2 x Site to Site VPN`s are configured, hairpinning enabled and then the double NAT is configured via 2 policy NATs.

VPN

tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
 pre-shared-key abc123
tunnel-group 3.3.3.3 type ipsec-l2l
tunnel-group 3.3.3.3 ipsec-attributes
 pre-shared-key abc123

access-list ENCDOM100 extended permit ip host 172.16.30.1 host 192.168.10.1
access-list ENCDOM101 extended permit ip host 2.2.2.20 host 192.168.30.1

crypto ipsec transform-set ESP-3DES esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto map outside 100 match address ENCDOM100
crypto map outside 100 set peer 1.1.1.1
crypto map outside 100 set transform-set ESP-3DES
crypto map outside 100 set security-association lifetime seconds 86400
crypto map outside 101 match address ENCDOM101
crypto map outside 101 set pfs
crypto map outside 101 set peer 3.3.3.3
crypto map outside 101 set transform-set ESP-3DES
crypto map outside 101 set security-association lifetime seconds 86400
crypto map outside interface outside

crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption aes
 hash md5
 group 2
 lifetime 86400

Hairpin

To permit traffic flows that come in on an interface and is routed back out the same interface the following command is used,

same-security-traffic permit intra-interface

NAT

Finally we perform a double NAT on our traffic. This is achieved via 2 policy NATs. The first translates the source address, the 2nd translates the destination.

access-list POLICYNAT-1 extended permit ip host 192.168.10.1 host 172.16.30.1
static (outside,outside) 2.2.2.20 access-list POLICYNAT-1

access-list POLICYNAT-2 extended permit ip host 192.168.30.1 host 2.2.2.20
static (outside,outside) 172.16.30.1 access-list POLICYNAT-2

Lets look at this in some more detail,

  • POLICYNAT-1 - Translates the source address.
      • The NAT entry reads. When traffic destined for 172.16.30.1 with a source address of 192.168.10.1 hits the outside interface. The source address will be translated to 2.2.2.20.
  • POLICYNAT-2 - Translates the destination address.
      • As we want to NAT the destination when the source address is 2.2.2.20, POLICYNAT-2 reads slighty differently to the previous NAT statement. The NAT entry reads. When traffic is destined for 192.168.30.1 with a source IP of 2.2.2.20 on the outside interface translate the destination address to 192.168.30.1.

Note : You will need to ensure the NAT policies are ordered so that the source translation is first, followed by the destination. This is because of the NAT processing order.

Site C (Vyatta)

For Site C, again the configuration is pretty standard. A site to site VPN is built, and the NAT rules are configured to ensure NAT exemption.

VPN

set vpn ipsec esp-group ESP-POLICY lifetime '28800'
set vpn ipsec esp-group ESP-POLICY proposal 1 encryption '3des'
set vpn ipsec esp-group ESP-POLICY proposal 1 hash 'sha1'
set vpn ipsec ike-group IKE-POLICY lifetime '86400'
set vpn ipsec ike-group IKE-POLICY proposal 1 dh-group '2'
set vpn ipsec ike-group IKE-POLICY proposal 1 encryption 'aes128'
set vpn ipsec ike-group IKE-POLICY proposal 1 hash 'md5'

set vpn ipsec ipsec-interfaces interface 'eth0'

set vpn ipsec site-to-site peer 2.2.2.2 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer 2.2.2.2 authentication pre-shared-secret 'abc123'
set vpn ipsec site-to-site peer 2.2.2.2 default-esp-group 'ESP-POLICY'
set vpn ipsec site-to-site peer 2.2.2.2 ike-group 'IKE-POLICY'
set vpn ipsec site-to-site peer 2.2.2.2 local-address '3.3.3.3'
set vpn ipsec site-to-site peer 2.2.2.2 tunnel 1 local prefix '192.168.30.1/32'
set vpn ipsec site-to-site peer 2.2.2.2 tunnel 1 remote prefix '2.2.2.20/32'

NAT

set nat source rule 10 destination address '192.168.30.1/32'
set nat source rule 10 'exclude'
set nat source rule 10 outbound-interface 'eth0'
set nat source rule 10 source address '2.2.2.20/32'
set nat source rule 20 destination address '2.2.2.20/32'
set nat source rule 20 'exclude'
set nat source rule 20 outbound-interface 'eth0'
set nat source rule 20 source address '192.168.30.1/32'

NAT Exemption

Problem

The main problem you may face when using policy NAT is when you already have NAT exemption (i.e no NAT) rules in place for the your traffic. This is an issue because NAT exemption is processed before any other type of NAT. Resulting in the policy NAT statements negated. 

Workaround

To workaround this problem add a deny statement to your no NAT ACL so that the traffic negates the no NAT and the policy NAT is triggered.

access-list nonat deny ip host 192.168.10.1 host 172.16.30.1

Note :

  • At the point you add the deny statement to your no NAT ACL, ensure that you also clear the relating xlate entries.
  • Its also good to know that,
    • No NAT ACL`s can contain deny entries, but cannot contain ports/protocols.
    • Policy NAT ACLs cannot contain deny statements, but can contain ports/protocols.

Reference

http://blog.ciscoinferno.net/inter-vs-intra

Tags: ASA, Vyatta, Cisco, VPN, TwiceNAT

About the Author

RDonato

R Donato

Rick Donato is the Founder and Chief Editor of Fir3net.com. He currently works as a Principal Network Security Engineer and has a keen interest in automation and the cloud.

You can find Rick on Twitter @f3lix001