Routing Between IPSec Tunnels - Please Help

Answered Question
Nov 26th, 2007
User Badges:

Okay guys, here's the situation:


I have three sites (sites A, B, and C). There is a site-to-site IPsec tunnel between PIXs from an internal LAN on site A (172.30.10.0 /24) to an internal LAN on site B (192.168.20.0 /24), and another tunnel from site B to site C (172.30.20.0). How can I route traffic from site A to C across the existing tunnels without creating another tunnel between sites A and C? Many thanks in advance.


-Ryan

Correct Answer by elparis about 9 years 5 months ago

Hi Ryan,


What you want to do is called hairpinning or u-turn VPN.


Here's a technical tip on cisco.com that goes over the configuration details:


PIX/ASA 7.x Enhanced Spoke-to-Spoke VPN Configuration Example


http://cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00804675ac.shtml


The key command is "same-security-traffic permit intra-interface" on the PIX on site B.


Hope this helps.


Eloy.-

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
elparis Mon, 11/26/2007 - 14:02
User Badges:
  • Cisco Employee,

Hi Ryan,


What you want to do is called hairpinning or u-turn VPN.


Here's a technical tip on cisco.com that goes over the configuration details:


PIX/ASA 7.x Enhanced Spoke-to-Spoke VPN Configuration Example


http://cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00804675ac.shtml


The key command is "same-security-traffic permit intra-interface" on the PIX on site B.


Hope this helps.


Eloy.-

srue Mon, 11/26/2007 - 15:35
User Badges:
  • Blue, 1500 points or more

I don't think hairpinning will solve the problem. Perhaps some simple static routes to get from A->C, and C->A. Also, update your crypto acl's at each point to allow the traffic to get from A->C, and C->A, as well as normal acl's.


elparis Tue, 11/27/2007 - 14:53
User Badges:
  • Cisco Employee,

Actually the setup requires hairpinning/u-turn VPN. I didn't make this up.


You are right in that routing needs to be taken care of, i.e. the PIX in site A needs to know that to get to site C it needs to send traffic out the outside interface, and the crypto ACLs need to be taken care of as you describe.


What I meant by "the same-security-traffic permit intra-interface command is key" is that this command is necessary so the PIX in site B can send traffic out on the same interface it was originally received (traffic from site A arrives on the outside interface and needs to be sent out the same interface so it can reach site C). Without this command in the PIX on site B u-turn VPN won't work, even if routing and the crypto ACLs are taken care of.


I didn't go into details when I first replied to Ryan because I thought that all the details, including routing, crypto ACLs, and the same-security-traffic command, are well presented in the tech. tip I mentioned in that original reply yesterday.


Ryan got it to work so everything is good, though :-)


Cheers,


Eloy.-

ryandibble Tue, 11/27/2007 - 14:36
User Badges:

Eloy,


The hairpinning worked like a charm! Many, many thanks for your help.


-Ryan

elparis Tue, 11/27/2007 - 14:46
User Badges:
  • Cisco Employee,

Awesome! Glad it worked Ryan. Very cool.


Cheers,


Eloy.-

Actions

This Discussion