- Bronze, 100 points or more
I know this is absurd at first glance but please bear with me!
Is it possible to have an asa5505 or similar device ingress traffic on an interface and then hairpin the traffic into a ipsec tunnel that egresses back out the same interface?
We have a need for a vpn solution that will allow remote users in to access some resources on a host network that is protected by a pix acting as a EasyVPN server.
This is of course a simple config in typical scenarios where obvious inside and outside segements exist.
Our problem though is that we want to configure a hardware device in client mode and ship it to the remote location and have them simply drop it on their inside lan and then simply route to it with a persistent route on their workstations in order to reach us thus not disturbing any of their existing configuration.
Ideally, configuring the inside and outside ports on the same logical subnet would be great but obviously this doesnt work.
We want to do this because the remote locations vary in their topologies and we want to offer them a non-invasive drop on the wire solution that will establish a tunnel automatically.
Can the same-security-traffic permit intra-interface be adapted somehow to facilitate this?