Cisco ASA AnyConnect SSL VPN with Hairpinning and ONE Public IP for Web Servers

In this post I am configuring AnyConnect SSL VPN Users access to a remote location that happens to be configured with a Point to Point tunnel using the same ASA. For this post, that location is 172.16.114.0. The term hairpinning comes from the fact that the traffic comes from one source into a device (Router/Firewall), makes a U-turn and goes back the same way it came. If you visualize this, you can see something that looks like a hairpin.

ANY CONNECT VPN CLIENT:
The first thing you need to do is download the clients you want to use from Cisco’s website. Once you have them, upload them to the ASA:

hostname# copy tftp flash
Address or name of remote host []? 192.168.6.1
Source filename []? anyconnect-dart-win-2.5.3055-k9.pkg
Destination filename []? anyconnect-dart-win-2.5.3055-k9.pkg
Accessingtftp://192.168.6.1/anyconnect-dart-win-2.5.3055-k9.pkg...!!!!!!!!!!!!!!!!!!!!!!!!
Writing file 
disk0:/cdisk71...!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
319662 bytes copied in 3.695 secs (86511 bytes/sec)

DHCP IP POOL FOR VPN CLIENTS:
We need to create an IP Address Pool for all the VPN clients:

ip local pool AnyConnectVPNPool 192.168.100.100-192.168.100.200 mask 255.255.255.0

NAT EXEMPTION FOR TRAFFIC BETWEEN INTERNAL LAN AND REMOTE VPN USERS:

access-list NONAT extended permit ip 192.168.6.0 255.255.255.0 192.168.100.0 255.255.255.0

Please note that the next command might already be on your ASA if you have VPN tunnels already configured:

nat (inside) 0 access-list NONAT

SPLIT TUNNEL ACL:
Lets create an ACL for split tunneling. This way the client won’t complain they don’t have internet access after they vpn in:

access-list SPLIT_TUNNEL standard permit 192.168.6.0 255.255.255.0
access-list SPLIT_TUNNEL standard permit 172.16.114.0 255.255.255.0

These access lists will send traffic destined for subnets 192.168.6.0 and 172.16.114.0 through the tunnel and the rest of the traffic will be sent out of the clients local internet connection.

ANYCONNECT VPN CONFIGURATION:

webvpn
port 8443
enable outside
dtls port 8443
anyconnect-essentials
svc image disk0:/anyconnect-dart-win-2.5.3055-k9.pkg 1
svc image disk0:/anyconnect-macosx-i386-2.5.3055-k9.pkg 2
svc image disk0:/anyconnect-linux-2.5.3055-k9.pkg 3
svc enable
tunnel-group-list enable

Notice above that I’m using port 8443 instead of the default 443. This is because this client will need port 443 for their web server. You’ll see later on in this post what I’m talking about. If you don’t need to worry about have only ONE public IP, then don’t change the port.

CREATE A GROUP POLICY WITH PARAMETERS THAT SHOULD BE APPLIED TO VPN CLIENTS:

group-policy SSLCLientPolicy internal
group-policy SSLCLientPolicy attributes
dns-server value 192.168.6.53
vpn-tunnel-protocol svc
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLIT_TUNNEL
default-domain value cordero.me
address-pools value AnyConnectVPNPool

VPN USERS:

username csmith password jLdShktGb1hTQnJB encrypted
username csmith attributes
service-type remote-access

TUNNEL GROUP PROFILE TO DEFINE CONNECTION PARAMETERS:

tunnel-group SSLClientProfile type remote-access
tunnel-group SSLClientProfile general-attributes
default-group-policy SSLCLientPolicy
tunnel-group SSLClientProfile webvpn-attributes
group-alias SSLVPNClient enable

=====ONE PUBLIC IP CONFIGURATION:
There may be a time where you can only use one public IP with your Anyconnect VPN. If that’s the case then you need to make some changes to ports because there are several services using port 80 and 443. Those are (1) ASA HTTP Server & (2) AnyConnect SSL VPN. Now a third one with the new web server.

If you need to have a web server configured then you have to make sure that you use “interface” on your NAT statements. If not, the ASA will throw and error.

We already changed the ports for the AnyConnect VPN config above so now you’ll have to change the ASA HTTP server:

http server enable 8080

After changing the port, you should be able to apply these commands with no errors:

static (inside,outside) tcp interface www 192.168.6.101 www netmask 255.255.255.255
static (inside,outside) tcp interface https 192.168.6.101 https netmask 255.255.255.255

=====HAIRPINNING:
If you have a VPN tunnel already configured you’ll probably want your VPN users to be able to reach resources on the other side of that tunnel. To do this, we need to do something called hairpinning.

You’ll need to add this command which basically allows data in and out of the same interface:

same-security-traffic permit intra-interface

Now the only step left is to allow your new Anyconnect VPN subnet over the Point-to-Point Tunnel:

access-list VPN_TUNNEL_ACL extended permit ip 192.168.100.0 255.255.255.0 172.16.114.0 255.255.255.0
access-list NONAT extended permit ip 192.168.100.0 255.255.255.0 172.16.114.0 255.255.255.0