There Might Be Coffee

Well, so much for this weeke... this mon... this year.
Sleep schedule got shafted this weekend. Guess I know what I'm doing tomorrow.

Queue random junk:

Me: also, the routing table thing is kinda cool.
though I worry slightly at regularly polling that much information via SNMP.
Me: HAH. mobage support request form includes an "Emotional State" drop-down box. I am amused by this.
Co-Worker: Heh
Co-Worker: How come A01 only has BGP neighbours?
Me: probably for the same reason A02 only has BGP neighbours
Co-Worker: How come $NEWFEATURE only half-assed works?
Me: Because "Feature".

Queue cisco stuff:
Ran into the need to NAT traffic entering an 'outside' interface via a crypto map a while back. There were far more rational solutions to deal with this scenario, but, you know - the real world never has time for rational solutions.

In this case, ASA for SSL Mobility clients.
IPSEC Crypto-map from ASA to existing corporate gateway for LAN access (servers and junk). Could just NAT the ASA LAN traffic directly, but... real world, remember?
Traffic from hits lo255 on R1, then gets NAT'd.
Queue visual aid:

Forgive the crudeness of the diagram. Diagramming on a laptop touch-pad and all that.

Since packets enter R1 from it's 'ip nat outside' interface, it's too late to NAT them directly. Can't use a pseudo 'tunnel' interface because of the ASA...
So, punt them ala route-map to an 'inside' interface so that NAT can occur, and then they're sent back out the interface from which they came.
Using 'set ip next-hop' in the route-map seemed to work much to my surprise rather than I expect it has something to do with NAT order of operation, but I can't see why exactly.

Queue code:

hostname R1
crypto map gi0-0-out 10 ipsec-isakmp
  set peer
  set transform-set AES256
  match address 100
interface Loopback255
  description Loopback target for NAT hairpin
  ip address
  ip nat inside
  ip virtual-reassembly
interface GigabitEthernet0/0
  ip address
  ip nat outside
  ip policy route-map TELECOMMUTER-HAIRPIN
  crypto map gi0-0-out
route-map TELECOMMUTER-HAIRPIN permit 10
  match ip address HAIRPIN
  ! Still a bit fuzzy on this one, but I believe redirect to a host on lo255's subnet \
  ! rather than the address, so the packets hit the 'interface'
  set ip next-hop
ip nat inside source list 101 interface GigabitEthernet0/0 overload
access-list 100 remark ASA Interesting Traffic
access-list 100 permit ip
access-list 101 remark Don't NAT traffic to ASA LAN subnet, so it gets picked up by crypto map
access-list 101 deny   ip
access-list 101 remark Inside subnets to NAT
access-list 101 permit ip any
ip access-list extended HAIRPIN
  remark For route-map to NAT traffic arriving via ASA crypto map
  remark Don't punt LAN-to-LAN traffic
  deny   ip
  remark Redirect everything else
  permit ip any

Queue another Youtube video. The name "Porter Robinson" conjures up something completely different from this in my mind. Not sure why.