In this post I am configuring AnyConnect SSL VPN Users access to a remote location that happens to be configured with a Point to Point tunnel using the same ASA. For this post, that location is 172.16.114.0. The term hairpinning comes from the fact that the traffic comes from one source into a device (Router/Firewall), makes a U-turn and goes back the same way it came. If you visualize this, you can see something that looks like a hairpin.
ANY CONNECT VPN CLIENT:
The first thing you need to do is download the clients you want to use from Cisco’s website. Once you have them, upload them to the ASA:
hostname# copy tftp flash Address or name of remote host []? 192.168.6.1 Source filename []? anyconnect-dart-win-2.5.3055-k9.pkg Destination filename []? anyconnect-dart-win-2.5.3055-k9.pkg Accessingtftp://192.168.6.1/anyconnect-dart-win-2.5.3055-k9.pkg...!!!!!!!!!!!!!!!!!!!!!!!! Writing file disk0:/cdisk71...!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! 319662 bytes copied in 3.695 secs (86511 bytes/sec)
DHCP IP POOL FOR VPN CLIENTS:
We need to create an IP Address Pool for all the VPN clients:
ip local pool AnyConnectVPNPool 192.168.100.100-192.168.100.200 mask 255.255.255.0
NAT EXEMPTION FOR TRAFFIC BETWEEN INTERNAL LAN AND REMOTE VPN USERS:
access-list NONAT extended permit ip 192.168.6.0 255.255.255.0 192.168.100.0 255.255.255.0
Please note that the next command might already be on your ASA if you have VPN tunnels already configured:
nat (inside) 0 access-list NONAT
SPLIT TUNNEL ACL:
Lets create an ACL for split tunneling. This way the client won’t complain they don’t have internet access after they vpn in:
access-list SPLIT_TUNNEL standard permit 192.168.6.0 255.255.255.0 access-list SPLIT_TUNNEL standard permit 172.16.114.0 255.255.255.0
These access lists will send traffic destined for subnets 192.168.6.0 and 172.16.114.0 through the tunnel and the rest of the traffic will be sent out of the clients local internet connection.
ANYCONNECT VPN CONFIGURATION:
webvpn port 8443 enable outside dtls port 8443 anyconnect-essentials svc image disk0:/anyconnect-dart-win-2.5.3055-k9.pkg 1 svc image disk0:/anyconnect-macosx-i386-2.5.3055-k9.pkg 2 svc image disk0:/anyconnect-linux-2.5.3055-k9.pkg 3 svc enable tunnel-group-list enable
Notice above that I’m using port 8443 instead of the default 443. This is because this client will need port 443 for their web server. You’ll see later on in this post what I’m talking about. If you don’t need to worry about have only ONE public IP, then don’t change the port.
CREATE A GROUP POLICY WITH PARAMETERS THAT SHOULD BE APPLIED TO VPN CLIENTS:
group-policy SSLCLientPolicy internal group-policy SSLCLientPolicy attributes dns-server value 192.168.6.53 vpn-tunnel-protocol svc split-tunnel-policy tunnelspecified split-tunnel-network-list value SPLIT_TUNNEL default-domain value cordero.me address-pools value AnyConnectVPNPool
VPN USERS:
username csmith password jLdShktGb1hTQnJB encrypted username csmith attributes service-type remote-access
TUNNEL GROUP PROFILE TO DEFINE CONNECTION PARAMETERS:
tunnel-group SSLClientProfile type remote-access tunnel-group SSLClientProfile general-attributes default-group-policy SSLCLientPolicy tunnel-group SSLClientProfile webvpn-attributes group-alias SSLVPNClient enable
=====ONE PUBLIC IP CONFIGURATION:
There may be a time where you can only use one public IP with your Anyconnect VPN. If that’s the case then you need to make some changes to ports because there are several services using port 80 and 443. Those are (1) ASA HTTP Server & (2) AnyConnect SSL VPN. Now a third one with the new web server.
If you need to have a web server configured then you have to make sure that you use “interface” on your NAT statements. If not, the ASA will throw and error.
We already changed the ports for the AnyConnect VPN config above so now you’ll have to change the ASA HTTP server:
http server enable 8080
After changing the port, you should be able to apply these commands with no errors:
static (inside,outside) tcp interface www 192.168.6.101 www netmask 255.255.255.255 static (inside,outside) tcp interface https 192.168.6.101 https netmask 255.255.255.255
=====HAIRPINNING:
If you have a VPN tunnel already configured you’ll probably want your VPN users to be able to reach resources on the other side of that tunnel. To do this, we need to do something called hairpinning.
You’ll need to add this command which basically allows data in and out of the same interface:
same-security-traffic permit intra-interface
Now the only step left is to allow your new Anyconnect VPN subnet over the Point-to-Point Tunnel:
access-list VPN_TUNNEL_ACL extended permit ip 192.168.100.0 255.255.255.0 172.16.114.0 255.255.255.0 access-list NONAT extended permit ip 192.168.100.0 255.255.255.0 172.16.114.0 255.255.255.0