ASA hairpinning problem

Darren Sasso · ‎05-13-2008

Not sure what is needed to fix this but i have an ASA 5520 with 2 interfaces. 1 dmz and 1 outside.

I'm using the ASA for both firewall and VPN but the problem occurs when people internally try to test the VPN portion and it directs them to the public ip address of the outside interface of the ASA. So the traffic comes in on interface dmz and needs to return out that same interface. VPN access is only allowed on the outside interface. I have the following already configured.

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

acomiskey · ‎05-13-2008

Any chance you could explain that in a different way? It's a little confusing what you are trying to accomplish, thanks.

srue · ‎05-13-2008

darren:

do you have users/testers on the dmz trying to establish a vpn connection to the outside interface of the ASA?

Darren Sasso · ‎05-13-2008

Yes that is correct. I can enable VPN on the dmz interface but didn't want to do that.

srue · ‎05-13-2008

i'm not sure that's possible (though i've never tried).

is nat-control enabled?

Darren Sasso · ‎05-13-2008

Yeah i'm not sure if that will work either but i thought i'd throw it out there.

Yes nat-control is enabled.

Darren Sasso · ‎05-13-2008

The ASA is used for VPN. When users wether they are internal or external to my network they use the same dns entry which has a public ip address. Externally everything works fine. The problem occurs when testing VPN internally users need to connect to the external ip address of the ASA and it doesn't work. Hopefully that makes more sense.

I know i can enable vpn on the dmz interface but didn't want to do that.