Interconnecting Different Sites Using VPN Hairpinning with Cisco ASA Sample Configuration

This is  my first post in my newly created blog and I thought of sharing a project I did back in 2007. I was then working for a Danish company  who have offices, and clients, in  North America, South America, Europe, Asia, and Africa (North and East Africa to be more specific). 

The problem was how to interconnect all our offices and clients in these 5 continents fast, and inexpensively. We had support centers in Denmark, US and the Philippines and all our support personnel, and subject matter experts need to have access to the company's servers and systems deployed inside client's data centers scattered worldwide. We need to be able to SSH the servers; access the web and databases of the system; and, access server iLO (HP servers' integrated lights out) and KVMs. The inexpensive and fast, yet secure solution, is VPN. 

VPN is fast to deploy, is secure, and -- as most finance directors would like -- inexpensive. Do note that VPN is not the best solution when involving latency-sensitive traffic such as VoIP, and videoconferencing. For brevity, I did not include all other ASA configurations such as hostname, domain, and Firewalls. We will only show the VPN configurations and other relevant configuration lines.  

The Scenario: 

A certain Company ‘A’ has a Regional Office Headquarters (RoHQ) in Singapore that needs to access servers and systems deployed to a client in the US. Company ‘A’ has a  contact and support center in the Philippines who also needs to access the system deployed in our US-based client. As is the usual case, both companies agreed that their respective networks should be NAT-ed to a public IP address.

The setup is illustrated in the diagram above.  Our objective is to make the Local Area network (LAN) 10.5.0.0/16 in Philippines, be able to communicate with Singapore’s LAN at 10.1.0.0/16. Both the Philippines and Singapore offices should be able to reach the system deployed in our US-based client whose 'NAT' IP address is 111.22.33.49. All IPs communicating to 111.22.33.49 should be NAT-ed to 202.11.22.34. For simplicity, no NAT should be applied for Company ‘A’’s traffic from and to Singapore and the Philippines.

As already mentioned, our solution is to interconnect all sites using VPN hairpinning over a hub and spoke topology. Traffic from the Philippines will be routed first to Singapore whose VPN concentrator processes the packets,  and forwards them to the US-based client when applicable. The Singapore RoHQ network in this scenario is the hub while the Philippines and US-based client as the 'spokes'. 

Here is the configuration for the topology shown above. Command lines starting with ‘!’ are comments or documentations. They serve as guides and instructions for us to understand the reason why each line of the configuration was given. 

1.       Relevant VPN Configuration for ASAFWSG1

!First, we configure the interface names.

!this is how ASA works –

!by interface names and security levels

Interface Ethernet0/0

Description #TO INTERNET#

Nameif outside

Security-level0

IP address 202.11.22.33 255.255.255.240

Interface Ethernet0/1

Nameif inside

Security-level 100

IP address 10.1.0.254 255.255.255.0

!As discussed, hairpinning works by routing traffic...

!through the same interface

!thus it is necessary to allow same-traffic intra-interface.

Same-security-traffic permit intra-interface

!Now we define the VPN. There are two VPNs, one to ASAFWPH1

!and another to Client US (host name not provided)

!Let us start by defining the Encryption Domains…

!(aka CryptoAccess-List)

!Notice the presence of both US and SG…

!subnets in both Crypto ACL, and their NAT IPs

Access-list TO_ASAFWPH1 extended permit ip 10.1.0.0 255.255.0.0 10.5.0.0 255.255.0.0

Access-list TO_ASAFWPH1 extended permit ip host 111.22.33.49 10.5.0.0 255.255.0.0

Access-list TO_US-CLIENT extended permit ip host 202.11.22.34 host 111.22.33.49

!Next we define the VPN profiles

Crypto ipsec transform-set AES128-SHA esp-aes-128 esp-sha-hmac

Crypto map VPN-OUT 1 match address TO_ASAFWPH1

Crypto map VPN-OUT 1 set transform-set AES128-SHA

Crypto map VPN-OUT 1 set peer 122.33.22.11

Crypto map VPN-OUT 2 match address TO_US-CLIENT

Crypto map VPN-OUT 2 set transform-set AES128-SHA

Crypto map VPN-OUT 2 set peer 111.22.33.44

Crypto map VPN-OUT interface outside

Crypto isakmp enable outside

!Notice that there is only 1 crypto isakmp policy.

!the phase 1 policy profile is only needed configured once.

!All other VPN connections can re-use the ISAKMP phase1 policy

Crypto isakmp policy 1

  Authentication pre-share

  Encryption aes-128

  Hash sha

  Group 2

  Lifetime 86400

Tunnel-group 122.33.22.11 type ipsec-l2l

Tunnel-group 122.33.22.11 ipsec-attributes

  Pre-shared-key S@mpl30nlY

Tunnel-group 111.22.33.44 type ipsec-l2l

Tunnel-group 111.22.33.44 ipsec-attributes

  Pre-shared-key @$@gr33dW!thCl!3nT

!Now that the VPN is already configured for both…

!we will configure NAT

!But first, we will have to define the access-list…

!that defines what segment will be NAT-ed and what not

Access-list NAT_EXEMPTION extended permit ip any 10.5.0.0 255.255.0.0

Access-list NAT_TO_US-CLIENT extended permit ip any host 111.22.33.49

!Now we define the NAT by mapping the nat to a ‘global’ policy

!This is the NAT for the internet corporate users. ALL USERS

nat (inside) 10 0.0.0.0 0.0.0.0

global (outside) 10 interface

!In ASA Nat 0 means that no NAT will be applied

nat (inside) 0 access-list NAT_EXEMPTION

!This is the NAT that applies for Client-US bound traffic

global (outside) 2 202.11.22.34

nat (inside) 2 NAT_TO_US-CLIENT

!Here is a ‘NAT-deflection’ configuration

!This is needed because you will have to NAT…

!traffic from Philippine Branch inbound to Client-US

nat (outside) 2 NAT_TO_US-CLIENT

2.       Relevant VPN configuration for ASAFWPH1

Interface Ethernet0/0

Description #TO INTERNET#

Nameif outside

Security-level0

IP address 122.55.19.33 255.255.255.240

Interface Ethernet0/1

Nameif inside

Security-level 100

IP address 10.5.1.254 255.255.255.0

!The configuration only mirrors that in ASAFWSG1 appertaining…

!to configurations directed to PH

Access-list TO_ASAFWSG1 extended permit ip 10.5.0.0 255.255.0.0 10.1.0.0 255.255.0.0

Access-list TO_ASAFWPH1 extended permit ip 10.5.0.0 255.255.0.0 host 111.22.33.49

Crypto ipsec transform-set AES128-SHA esp-aes-128 esp-sha-hmac

Crypto map VPN-OUT 1 match address TO_ASAFWPH1

Crypto map VPN-OUT 1 set transform-set AES128-SHA

Crypto map VPN-OUT 1 set peer 202.11.22.33

Crypto map VPN-OUT interface outside

Crypto isakmp enable outside

Crypto isakmp policy 1

  Authentication pre-share

  Encryption aes-128

  Hash sha

  Group 2

  Lifetime 86400

Tunnel-group 202.11.22.33 type ipsec-l2l

Tunnel-group 202.11.22.33 ipsec-attributes

  Pre-shared-key S@mpl30nlY

!NAT EXEMPTION also needs to be done.

!Notice that even traffic to US-CLIENT is NAT-EXEMPTED

!Traffic to US-CLIENT will be NAT-ed in ASAFWSG1

Access-list NAT_EXEMPTION extended permit ip any 10.1.0.0 255.255.0.0

Access-list NAT_EXEMPTION extended permit ip any host 111.22.33.49

nat (inside) 0 access-list NAT_EXEMPTION

nat (inside) 10 0.0.0.0 0.0.0.0

global (outside) 10 interface

3.       Relevant VPN configuration for US-CLIENT

!Again, the configurations are the same

!For brevity, we will include only the VPN…

!and NAT configurations

!Besides, we normally do not really know the VPN…

!configurations on the client side.  

Crypto ipsec transform-set AES128-SHA esp-aes-128 esp-sha-hmac

Access-list TO_COMPANY-A extended permit ip host 111.22.33.49 host 202.11.22.34

Crypto map VPN-OUT 1 match address TO_COMPANY-A

Crypto map VPN-OUT 1 set transform-set AES128-SHA

Crypto map VPN-OUT 1 set peer 202.11.22.33

Crypto map VPN-OUT interface outside

Crypto isakmp enable outside

Crypto isakmp policy 1

  Authentication pre-share

  Encryption aes-128

  Hash sha

  Group 2

  Lifetime 86400

Tunnel-group 202.11.22.33type ipsec-l2l

Tunnel-group 202.11.22.33 ipsec-attributes

  Pre-shared-key @$@gr33dW!thCl!3nT

Access-list NAT_TO_COMPANY-A extended permit ip any host 202.11.22.34

nat (inside) 2 NAT_TO_COMPANY-A

nat (inside) 10 0.0.0.0 0.0.0.0

global (outside) 2 111.22.33.49

global (outside) 10 interface