In the previous section, you have seen how to configure and troubleshoot both LAN-to-LAN and Remote Access VPN on the PIX firewall. In this section, you will examine a new feature in PIX version 7.0 called Hairpinning, which allows the PIX firewall to act as a hub for Remote Access VPN client and as a LAN-to-LAN peer. With Hairpinning, PIX allows the traffic to route back on the same interface it receives from. The case study is implemented based on Figure 7-1 and on the configurations that are performed in the previous sections from both LAN-to-LAN and Remote Access VPN client.
The goal of this case study is to ensure that the Remote Access VPN client laptop (see Figure 7-1) can make a VPN connection to PIX-A, and access the private network (192.168.1.0/24). Additionally, be sure this Remote Access VPN client can access the resources on PIX-B private network (192.168.2.0/24) also. This can be accomplished by creating a LAN-to-LAN between PIX-A and PIX-B for the VPN client.
Before you attempt to configure Hairpinning, you must ensure that both VPN client and LAN-to-LAN connections work independently. The configuration for Hairpinning involves reconfiguring hub PIX (PIX-A) and LAN-to-LAN peer (PIX-B). You do not need to make any configuration changes on the VPN client.
Work through the following steps to configure the Hub PIX (PIX-A):
Review the configuration for both LAN-to-LAN and Remote Access VPN connection configurations on PIX-A. Example 7-54 shows the configuration you have built up so far on the PIX-A for both LAN-to-LAN and Remote Access VPN connection.
Example 7-54. Current Configuration on the PIX-A for both LAN-to-LAN and Remote Access VPN Connections
PIX-A# show running-config ! Showing only the LAN-to-LAN and Remote Access VPN connections on PIX-A interface Ethernet0 nameif outside security-level 0 ip address 172.16.172.164 255.255.255.0 ! interface Ethernet1 nameif inside security-level 100 ip address 192.168.1.1 255.255.255.0 ! The following access-list is used for LAN-to-LAN tunnel access-list 101 extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 ! The following pool assigns the IP address to the VPN Client for the Remote ! Access VPN connection ip local pool mypool 192.168.0.1-192.168.0.100 route outside 0.0.0.0 0.0.0.0 172.16.172.1 1 ! The following lines are used to define the WINS and DNS Server IP group-policy mypolicy internal group-policy mypolicy attributes wins-server value 172.16.172.166 dns-server value 172.16.172.165 ! The following username is defined for the Remote Access VPN username cisco password 3USUcOPFUiMCO4Jk encrypted ! The following transform set is used for both LAN-to-LAN and Remote Access VPN ! connections. crypto ipsec transform-set myset esp-3des esp-md5-hmac ! This dynamic crypto map is for Remote Access VPN crypto dynamic-map mydyn 1 set transform-set myset crypto dynamic-map mydyn 1 set reverse-route ! The following lines are for LAN-to-LAN crypto map crypto map mymap 10 match address 101 crypto map mymap 10 set peer 172.16.172.163 crypto map mymap 10 set transform-set myset ! The following crypto map is for Remote Access VPN crypto map mymap 20 ipsec-isakmp dynamic mydyn ! Crypto map is applied with the following line on the outside interface. crypto map mymap interface outside ! ISAKMP is applied on the outside interface isakmp enable outside ! Following lines are for ISAKMP policy 10 (user defined) isakmp policy 10 authentication pre-share isakmp policy 10 encryption 3des isakmp policy 10 hash md5 isakmp policy 10 group 2 isakmp policy 10 lifetime 43200 ! ISAKMP policy 65535 is the default policy on PIX isakmp policy 65535 authentication pre-share isakmp policy 65535 encryption 3des isakmp policy 65535 hash sha isakmp policy 65535 group 2 isakmp policy 65535 lifetime 86400 ! Tunnel-group name with the Peer IP address is for LAN-to-LAN tunnel tunnel-group 172.16.172.163 type ipsec-l2l tunnel-group 172.16.172.163 ipsec-attributes pre-shared-key * ! Tunnel-group name mygroup is the tunnel-group for Remote Access VPN tunnel-group mygroup type ipsec-ra tunnel-group mygroup general-attributes address-pool mypool default-group-policy mypolicy tunnel-group mygroup ipsec-attributes pre-shared-key * ! PIX-A#
Modify access-list 101 to allow the IP local pool address for the LAN-to-LAN tunnel. This is shown in Example 7-55.
Example 7-55. Access-list Modification on the Hub PIX (PIX-A)
PIX-A# show running-config access-list 101 access-list 101 extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 PIX-A# configure terminal ! The following line adds the IP local Pool address for the LAN-to-LAN tunnel, ! so that Remote Access VPN client can pass traffic through this LAN-to-LAN ! tunnel to the private network of the PIX-B firewall. PIX-A(config)# access-list 101 extended permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0 PIX-A(config)# show running-config access-list 101 access-list 101 extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list 101 extended permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0 PIX-A(config)#
Enable Hairpinning on the outside interface with the following command:
PIX-A(config)# same-security-traffic permit intra-interface
Work through the following steps to configure the LAN-to-LAN peer (PIX-B):
Be sure that the PIX-B can establish a tunnel with the HUB PIX (PIX-A), and that their respective private networks can pass traffic through the tunnel.
Add an access-list entry to access-list 101 to add the VPN client network as interesting traffic for VPN tunnel on PIX-B. The VPN client network is the IP pool defined on the PIX-A firewall for the VPN tunnel. For this setup, the IP pool defined on the PIX-A includes address 192.168.0.1-192.168.0.100. Example 7-56 shows the access-list configuration changes needed on PIX-B.
Example 7-56. Access-list Configuration Changes Needed on PIX-B
No additional configuration is required on the VPN Client software.
! Check the existing Access-list for the LAN-to-LAN tunnel PIX-B(config)# show running-config access-list access-list 101 extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0 ! The following line adds network 192.168.0.0/24, which is for the VPN client ! network PIX-B(config)# access-list 101 extended permit ip 192.168.2.0 255.255.255.0 192.168.0.0 255.255.255.0 ! Verify the access-list configuration on PIX-B PIX-B(config)# show running-config access-list access-list 101 extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list 101 extended permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0 PIX-B(config)#