Cisco ASA AnyConnect SSL VPN with Hairpinning and ONE Public IP for Web Servers
In this post I am configuring AnyConnect SSL VPN Users access to a remote location that happens to be configured with a Point to Point tunnel using the same ASA. For this post, that location is 172.16.114.0. The term hairpinning comes from the fact that the traffic comes from one source into a device (Router/Firewall), makes a U-turn and goes back the same way it came. If you visualize this, you can see something that looks like a hairpin.
ANY CONNECT VPN CLIENT:
The first thing you need to do is download the clients you want to use from Cisco’s website. Once you have them, upload them to the ASA:
hostname# copy tftp flash
Address or name of remote host ? 192.168.6.1
Source filename ? anyconnect-dart-win-2.5.3055-k9.pkg
Destination filename ? anyconnect-dart-win-2.5.3055-k9.pkg
319662 bytes copied in 3.695 secs (86511 bytes/sec)
DHCP IP POOL FOR VPN CLIENTS:
We need to create an IP Address Pool for all the VPN clients:
ip local pool AnyConnectVPNPool 192.168.100.100-192.168.100.200 mask 255.255.255.0
NAT EXEMPTION FOR TRAFFIC BETWEEN INTERNAL LAN AND REMOTE VPN USERS:
access-list NONAT extended permit ip 192.168.6.0 255.255.255.0 192.168.100.0 255.255.255.0
Please note that the next command might already be on your ASA if you have VPN tunnels already configured:
nat (inside) 0 access-list NONAT
SPLIT TUNNEL ACL:
Lets create an ACL for split tunneling. This way the client won’t complain they don’t have internet access after they vpn in:
access-list SPLIT_TUNNEL standard permit 192.168.6.0 255.255.255.0
access-list SPLIT_TUNNEL standard permit 172.16.114.0 255.255.255.0
These access lists will send traffic destined for subnets 192.168.6.0 and 172.16.114.0 through the tunnel and the rest of the traffic will be sent out of the clients local internet connection.
Notice above that I’m using port 8443 instead of the default 443. This is because this client will need port 443 for their web server. You’ll see later on in this post what I’m talking about. If you don’t need to worry about have only ONE public IP, then don’t change the port.
CREATE A GROUP POLICY WITH PARAMETERS THAT SHOULD BE APPLIED TO VPN CLIENTS:
group-policy SSLCLientPolicy internal
group-policy SSLCLientPolicy attributes
dns-server value 192.168.6.53
split-tunnel-network-list value SPLIT_TUNNEL
default-domain value cordero.me
address-pools value AnyConnectVPNPool
=====ONE PUBLIC IP CONFIGURATION:
There may be a time where you can only use one public IP with your Anyconnect VPN. If that’s the case then you need to make some changes to ports because there are several services using port 80 and 443. Those are (1) ASA HTTP Server & (2) AnyConnect SSL VPN. Now a third one with the new web server.
If you need to have a web server configured then you have to make sure that you use “interface” on your NAT statements. If not, the ASA will throw and error.
We already changed the ports for the AnyConnect VPN config above so now you’ll have to change the ASA HTTP server:
http server enable 8080
After changing the port, you should be able to apply these commands with no errors:
If you have a VPN tunnel already configured you’ll probably want your VPN users to be able to reach resources on the other side of that tunnel. To do this, we need to do something called hairpinning.
You’ll need to add this command which basically allows data in and out of the same interface:
same-security-traffic permit intra-interface
Now the only step left is to allow your new Anyconnect VPN subnet over the Point-to-Point Tunnel:
access-list VPN_TUNNEL_ACL extended permit ip 192.168.100.0 255.255.255.0 172.16.114.0 255.255.255.0
access-list NONAT extended permit ip 192.168.100.0 255.255.255.0 172.16.114.0 255.255.255.0