Hairpinning Remote Access Connections

Unanswered Question
Jul 20th, 2008

Greetings like many people we connect to our customers via either permanent vpn connectivity or via locking down management access to our external company ip address.

Is it possible to configure the ASA 5510 so that i can connect to it using the cisco vpn client from any location and then connect to customers network which are in turn locked down to only permit connections from our external network?

At present i am having to connect to one of our internal servers and use it as a jump of point to connect to customer networks when im off site.


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
exonetinf1nity Mon, 07/21/2008 - 14:55

Thank you for your reply, i have tried adding said networks to the split tunnel list but am unable to connect to the customer networks via there outside management address.


nikuhappy2010 Mon, 07/21/2008 - 14:59

Yes, its possible.. I have alreay set up this for here but i want to know which FW is using by customer becoz I had make it on ASA which was installed on other location. Cheers

exonetinf1nity Mon, 07/21/2008 - 15:04

I am using an ASA 5510 with 8.0.3(19) code, customer sites use a mix of ASA's, 2800's, 3800's etc for edge connectivity.

acomiskey Mon, 07/21/2008 - 15:00

We'd have to see the config. Make sure you have something like...

same-security-traffic permit intra-interface

global (outside) 1 interface

nat (outside) 1

exonetinf1nity Mon, 07/21/2008 - 15:09

Cheers, i currently have the same-security-traffic permit intra-interface statement in place, please find the relevant config below.


interface Ethernet0/0

speed 100

duplex full

nameif outside

security-level 0

ip address ***.***.***.***


interface Ethernet0/1

no nameif

no security-level

no ip address


interface Ethernet0/1.997

vlan 997

nameif demo

security-level 100

ip address


interface Ethernet0/1.998

vlan 998

nameif guest

security-level 25

ip address


interface Ethernet0/2

speed 100

duplex full

nameif access

security-level 100

ip address


interface Ethernet0/3

speed 100

duplex full

nameif voice

security-level 100

ip address


interface Management0/0

nameif management

security-level 100

ip address



same-security-traffic permit inter-interface

access-list ITTelco_SpliTunnel remark ****** Split Tunnel Encrypted Traffic ******

access-list ITTelco_SpliTunnel standard permit

access-list exempt_nat0_outbound extended permit ip

mtu outside 1500

mtu demo 1500

mtu guest 1500

mtu access 1500

mtu voice 1500

mtu management 1500

ip verify reverse-path interface outside

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-60360.bin

asdm history enable

arp timeout 14400


global (outside) 1 interface

global (outside) 2 guestoutbound

nat (demo) 0 access-list exempt_nat0_outbound

nat (guest) 2

nat (access) 0 access-list exempt_nat0_outbound

nat (access) 1

nat (voice) 0 access-list exempt_nat0_outbound

nat (voice) 1

access-group outside_access_in in interface outside

route outside ***.***.***.*** 1

route demo 1


policy-map type inspect im im_Block


match protocol msn-im yahoo-im

drop-connection log

policy-map global_policy

class inspection_default

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

inspect http

inspect icmp

inspect icmp error

inspect pptp

inspect ipsec-pass-thru

inspect im im_Block

policy-map serv-pol-outbound

class csc-scan-class

csc fail-open


service-policy global_policy global

prompt hostname context


: end


a.alekseev Mon, 07/21/2008 - 22:45

access-list ITTelco_SpliTunnel standard permit

no access-list ITTelco_SpliTunnel standard permit

exonetinf1nity Tue, 07/22/2008 - 14:17

Thank you for your reply, the above allows me to connect to all networks inside the firewall but doesn't allow me to connect via the vpn client then back out to a customers external IP address as per the attached image.


exonetinf1nity Wed, 07/23/2008 - 15:35

Ah apologies, i shall give that a go in the morning.

Thank you for your help so far

a.alekseev Tue, 07/22/2008 - 23:22

do as Adam Comiskey said

and in this case you should disable split tunneling.

jsdeprey Tue, 09/16/2008 - 12:46

Did anyone figure out how to do this, I am having same problem (need to be able to vpn in to office then make connections out to internet via the ip space of the remote office, for security reasons).

I am using a PIX501

acomiskey Tue, 09/16/2008 - 14:18

Can't be done with a pix 501 or any pix running version 6 code.


This Discussion