Hairpinning Question

Answered Question
Aug 29th, 2007
User Badges:

I'm sure that this has been asked, but I cannot find it. I have my users connecting to my office (Site A in the diagram) using the Cisco VPN client. I also have my office connected to another (site B) via an IPSec tunnel. All of this works fine.

What I want to do is to get the VPN clients to go through my site to site B, through the tunnel.

Traffic through the tunnel is being PATed to the 69.x.x.x address on the outside of my PIX. I am attaching a diagram.


Thanks in advance for any help,

Paul



Attachment: 
Correct Answer by acomiskey about 9 years 10 months ago

access-list SITEBTCRYPTO extended permit ip 192.168.21.0 255.255.255.0 32.yy.yy.yy 255.255.255.255

same-security-traffic permit intra-interface


Remote site would also need to add the interesting traffic and nat exemption to 192.168.21.0. I suppose since you have no control over the far end that you need to somehow make 192.168.21.0 appear as 66.x.x.x. This would eliminate you needing to change anything on the far end.


Maybe like this...


nat (outside) 1 192.168.21.0 255.255.255.0 outside

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
purohit_810 Wed, 08/29/2007 - 11:03
User Badges:
  • Silver, 250 points or more

Paul,


Configuration??


Okie.. are you using Routing protocol?? If yes add that subnet in advertisement. It will be access site B also.


Static route mean it seems stub network, use default route.


Put static route for network 32.X.X.X.



Regards,

Dharmesh Purohit

acomiskey Wed, 08/29/2007 - 11:06
User Badges:
  • Green, 3000 points or more

You should only have to allow hairpinning with same-security-traffic permit intra-interface and also add the vpn client subnet 192.168.21.0/24 to your interesting traffic acl's on site a and site b pixes. This is assuming you have version 7.


How about posting a clean config?

pstebner1 Wed, 08/29/2007 - 11:34
User Badges:

Thanks, guys. Here is a config that I scrubbed.

I have 7.2(2) on my PIX. Site B is a client of ours so we have no control over it.


Paul

Correct Answer
acomiskey Wed, 08/29/2007 - 11:41
User Badges:
  • Green, 3000 points or more

access-list SITEBTCRYPTO extended permit ip 192.168.21.0 255.255.255.0 32.yy.yy.yy 255.255.255.255

same-security-traffic permit intra-interface


Remote site would also need to add the interesting traffic and nat exemption to 192.168.21.0. I suppose since you have no control over the far end that you need to somehow make 192.168.21.0 appear as 66.x.x.x. This would eliminate you needing to change anything on the far end.


Maybe like this...


nat (outside) 1 192.168.21.0 255.255.255.0 outside

pstebner1 Wed, 08/29/2007 - 11:45
User Badges:

I guess there-in lies my question. Is there any way to get the 192.168.21.x address space PATed on the outside interface just like my internal network? Or maybe use policy NAT?

acomiskey Wed, 08/29/2007 - 11:46
User Badges:
  • Green, 3000 points or more

I added to the end of my last post...just make sure you have the same-security-traffic command as well.


Oh, and don't forget to add the remote lan to the split tunnel acl.


access-list splitTunnelAcl standard permit 32.y.y.y 255.255.255.0

acomiskey Wed, 08/29/2007 - 11:58
User Badges:
  • Green, 3000 points or more

Sweet, glad it worked. I'll have to try that myself sometime. Thanks for the rating.

Actions

This Discussion