ASA hairpinning problem

Unanswered Question

Not sure what is needed to fix this but i have an ASA 5520 with 2 interfaces. 1 dmz and 1 outside.

I'm using the ASA for both firewall and VPN but the problem occurs when people internally try to test the VPN portion and it directs them to the public ip address of the outside interface of the ASA. So the traffic comes in on interface dmz and needs to return out that same interface. VPN access is only allowed on the outside interface. I have the following already configured.

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
acomiskey Tue, 05/13/2008 - 10:51
User Badges:
  • Green, 3000 points or more

Any chance you could explain that in a different way? It's a little confusing what you are trying to accomplish, thanks.

srue Tue, 05/13/2008 - 11:13
User Badges:
  • Blue, 1500 points or more


do you have users/testers on the dmz trying to establish a vpn connection to the outside interface of the ASA?

srue Tue, 05/13/2008 - 11:57
User Badges:
  • Blue, 1500 points or more

i'm not sure that's possible (though i've never tried).

is nat-control enabled?

The ASA is used for VPN. When users wether they are internal or external to my network they use the same dns entry which has a public ip address. Externally everything works fine. The problem occurs when testing VPN internally users need to connect to the external ip address of the ASA and it doesn't work. Hopefully that makes more sense.

I know i can enable vpn on the dmz interface but didn't want to do that.


This Discussion